defending against web application attacks
B.Arunmozhi M.E,,Navaneetha Priya R
Published in International Journal of Advanced Research in Computer Science Engineering and Information Technology
ISSN: 2321-3337 Impact Factor:1.521 Volume:6 Issue:3 Year: 02 May,2021 Pages:1629-1636
Abstract
The number of the maximum dangerous net assaults, including move-site Scripting and sq. injection, exploit vulnerabilities in internet programs which could accept and procedure records of unsure origin with out right validation or filtering, allowing the injection and execution of dynamic or domain-precise language code. these assaults had been constantly topping the lists of diverse security bulletin carriers in spite of the sever a counter measures that have been proposed over the past 15 years. on this paper, we provide an evaluation on numerous defense mechanisms in opposition to internet code injection assaults. We endorse a model that highlights the important thing weaknesses allowing those assaults, and that provides a not unusual angle for reading the available defenses. We then categorize and analyze a hard and fast of forty one formerly proposed defenses primarily based on their accuracy, overall performance, deployment, safety, and availability characteristics. Detection accuracy is of precise importance, as our findings display that many protection mechanisms were examined in a terrible manner. similarly, we have a look at that some mechanisms can be bypassed by using attackers with information of how the mechanisms work. finally, we discuss the outcomes of our evaluation, with emphasis on elements that could avert the great adoption of defenses in practice.
Kewords
Defense mechanisms, Detection, Web attacks
Reference
[1] Z. Su and G. Wassermann, “The essence of command injection attacks in web applications,” in Proceedings of the 33rdACM Symposium on Principles of Programming Languages,2006, pp.372–382. [2] D. Ray and J. Ligatti, “Defining code-injection attacks,” inPOPL ’12. ACM, 2012, pp.179–190. [3] M. Heiderich, M. Niemietz, F. Schuster, T. Holz, andJ. Schwenk, “Scriptless attacks: stealing the pie withouttouching the sill,” in Proceedings of the 19th conference on Computer and communications security, 2012, pp. 760–771. [4] J. Dahse, N. Krein, and T. Holz, “Code reuse attacks in PHP:Automated POP chain generation,” in Proceedings of the21st ACM Conference on Computer and Communications Security, 2014, pp. 42–53. [5] W. G. Halfond, J. Viegas, and A. Orso, “A classification ofSQL- injection attacks and countermeasures,” in Proceedingsof the International Symposium on Secure Software Engineering,Mar. 2006. [6] M. Shahzad, M. Z. Shafiq, and A. X. Liu, “A large scaleexploratory analysis of software vulnerability life cycles,” inICSE ’12. IEEE Press, 2012, pp. 771–781. [7] H. Shahriar and M. Zulkernine, “Mitigating program securityvulnerabilities: Approaches and challenges,” ACM Comput.Surv., vol. 44, no. 3, pp. 11:1–11:46, Jun. 2012. [8] S. Axelsson, “The base-rate fallacy and the difficulty ofintrusion detection,” ACM Trans. Inf. Syst. Secur., vol. 3,no. 3, pp. 186–205, Aug. 2000. [9] L. Szekeres, M. Payer, T. Wei, and D. Song, “SoK: Eternalwar in memory,” in Oakland ’13, 2013, pp. 48–62. [10] “Code share,” Nature, vol. 514, pp. 536–537, 2014.[11] S. Bratus, M. E. Locasto, L. S. M. L. Patterson, andA. Shubina, “Exploit programming: From buffer overflowsto ‘WeirdMachines’ and theory of computation,” ;login,vol. 36, no. 6, pp. 13–21, Dec. 2011.
