SlideShare a Scribd company logo

IRJET- Survey on Web Application Vulnerabilities

IRJET Journal
IRJET Journal

https://www.irjet.net/archives/V6/i9/IRJET-V6I9135.pdf

Engineering
1 of 4
Download to read offline
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 922 Survey on Web Application Vulnerabilities Yogesh Kumari Assistant Professor, Department of Computer Science, Shivaji College, Delhi University, New Delhi, India ---------------------------------------------------------------------***---------------------------------------------------------------------- Abstract - As in the last few years discovery of World Wide Web has grown rapidly. This has made web applications an important aspect to provide end users all the necessary features toaccess server functionality. Today, web application is one of the most widely used platforms to deliver information and services over Internet. Many WorldWideWebapplications are used in many security critical environments including medical, financial, e-commerce, military systems. A web application is the one that provides server functionality to its end users through a number of web pages. These web pages contain code that executes dynamically resulting client's queries. Although many techniques have been developed to fortify web applications and mitigate attacks towards web applications. Web applications are prone to attacks like browser hijacking, session riding,andcookietheft.Thispaperexplainstheworking of web applications and the existing security vulnerabilities possible in web applications. Key Words: Web application vulnerabilities, SQL injection, cross-side scripting 1. INTRODUCTION Today Internet has turned outtobean effectiveway of communication all over the world. Millions of businesses use Internet to exchange information with target market. It is also true that effective marketing is only possible when business is able to capture all the necessary informationand store it in an effective way so that later on, information can be processed with the accurate result to the end user. Web application utilizes web browsers and various web technologies to carry out task over the Internet. Web application includes shopping carts, online forms, spreadsheets, file conversion, photo and video editing,word processing, file processing and more. Web application can be accessed with the same version without any compatibility issues. Web applications run on multiple platforms regarding of device or the operating system. How Web Application Works? Web application uses client side script to present information to end users, using JavaScript and HTML. While server sidescripts are used to handle storage andretrievalof information using PHP and ASP. Through this only,endusers are capable to interact with any website which includes online forms, content management systems, shopping carts. Every web application requires a web server, application server and database. Web server is required to manage requests from clients. Application server is required to perform the query submitted by end user and database is used to store the information. Whenever a web server receives a request from an end user for any web page, the web server sends the page to the requesting browser and it passes the page to application server. The application server reads code on the page, performed the requested task like querying the database or processing any data and generates the accurate results. The result is passes back to web server by application server as static HTML page. At first, user sends the request to web server through application’s user interface or web browser. The same request is forwarded to web application server through web browser. Application server performs the task by requesting database server for any query, as soon as the query is processed, application server gets the results. Further, application server sends result to web server andwebserver respond back to the client with the results. Figure1: Working of Web Application
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 923 2. BACKGROUND Over the last few years, web applications have turned out be a favoritesubject where attacks tends to attack.Cross-site scripting, cookie poisoning came in picture. For instance, when a website is vulnerable to cross-site scripting, it means user cookie can be theft. And if cookie has been compromised,attackercanperformsessionhijackingandcan have access onto user’s account. Thus, it is very important to understand what are the ways through which attacker can attackany website.Whatcouldbethepossiblevulnerabilities in any web application? 3. CLASSIFICATION OF WEB APPLICATION VULNERABILITIES There are various types of vulnerabilities that have been presented as a thread to any web application. The following classes of attacks are as follows: 3.1. Authentication The Authentication talks about the attack that targets the method of validating the identity of a user, anyapplicationor any service. Authentication can be performed by any of the mechanism like something you have, somethingyouknowor something you are. 1. Brute Force Brute force attack is a hit and trial method to guess the usernameor password. In this attackercangeneratemillions of thousands of incorrect guess. And if the brute force is successful, the attacker is able to access the account. 2. Insufficient Authentication Insufficient Authentication attack takesplacewhenevera web application provides access to get sensitive information or any functionality without properly authentication. If a resource is unknown to anattacker,itstillremainsaccessible through a specific URL. For instance, Most of the websites have been designed with administrative functionality provided in root directory /admin/. Though the directory is not linked to anywhere but it can still be accessed through a standard web browser. If somehow attacker visits this page, entire administrative access of the web application would be gone. 3. Weak Password Recovery Validation Any website tends to have weak password recovery validation when it permits anyone to illegally obtain, change or recover anyone’s password. It happens when any information which is required to validate user’s identity can be circumvented. There are various ways through which password recovery systems can be compromised, such as brute force attacks, easily guessed secret questions. For instance, in many cases, website provides hint to remind users of their password.Somewebsitesrequestusers to provide email address with the combination of the phone number. Such information can be easily gained through online white pages. 3.2 Authorization Authorization section includes attacks that target web application’s method of determining if the user has permissions in order to perform a specific task or request. There are various techniques through which an attacker can fool a web site into increasing their privileges to gain protected information. 1. Session Prediction Websites are designed in such a way that a user connection is established by providing correct credentials in order to authenticate and track a user. Websites generate unique session ID to identify user session as authenticated. So, session ID is the proof and if this session ID is somehow gained by attacker, fraudulent activates are possible. 2. Insufficient Session Expiration If any web application provides access via old session credentialsorsessionID,attackercangainaccess.Insufficient session expiration increases web application exposure through which attacker can attack or steal any user’s personal information. A stolen session ID can be used to perform any fraudulent transaction. If the expiration time of session is more, more is the chances that attacker will guess the valid session ID. Such expiration can be exploitedtoview user’s activity over Internet. 3. Session Fixation Session Fixation is another technique of attack in which user’s session ID is given an explicit value. A number of techniques are used to fix the session ID value depending on the functionality of target website. Once the value is fixed, attacker wait for legitimate user to login. Once login credentials are given to successful login, the attacker uses predefined session ID value. 4. Insufficient Authorization When a website permits an end user to access sensitive data that shouldrequireincreasedaccesscontrolrestrictions. Even if a user is authenticated, full access of sensitivecontent and functionality must not be granted. For instance, many websites store administrative content and functionality in directory /admin and /log. If an attacker gets the access of these directories,theentireinformationcanbecompromised. 3.3 Client-Side Attacks The client side attacks basically focuses on the exploitation of website’s users.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 924 1. Content Spoofing Content Spoofing is an attack technique that permits an attacker to inject malicious code which later can be misrepresented as the legitimate content of any web application. For instance, <HTML> <FRAMESET COLS=”100, *”> <FRAME NAME=”pr_menu” SRC=”menu.html”> <FRAME NAME=”pr_content SRC=”http://foo.example/pr/01012003.html> </FRAMSET> </HTML> In this code, if an attacker altered the URL to http://foo.example/pr?pg=http://attacker.example/sp oofed_press_release.html? <HTML> <FRAMESET COLS=”100, *”> <FRAME NAME=”pr_menu” SRC=”menu.html”> <FRAME NAME=”pr_content SRC=” http://attacker.example/spoofed_press_release.html”> </FRAMESET> </HTML> I. Cross-Site Scripting Cross-site scripting is an attack technique in which attacker’s supplied executable code is echoed through any web application. Persistentandnonpersistentattacksarethe two cross-site scripting attack. In non-persistent attack, end user is required tovisitcraftedlinklacedwithmaliciouscode. Once the link is clicked, the code is embedded in the URL and executed within user’s web browser. Whereas, in case of persistent attack, malicious code is submitted to website where it is stored for a period of time. 2. Command Execution In this section, attacks are covered which are designed to execute remote commands on any web application. I. Buffer Overflow Buffer overflow occurs when data written to a memory exceeds the allocated size of the buffer. Once the buffer is overflow, it can cause the software to crash or fault. Buffer overflow also used as denial of service attack when memory is corrupted resulting as software failure. II. OS Commands In this type of attack, Operating system commands are used to exploit website through manipulation of application input. For instance, exec("ls -la $dir",$lines,$rc); While executing Shellcommand,appending(;)semicoloncan force the web application into executing second command http://example/directory.php?dir=%3Bcat%20/etc/pass Retrieving the content of /etc/passwd file. III. SQL Injections In SQL injection attack, attacker sends the malicious input through application interfaceandqueriesareexecutedin the database giving attacker the control over the database. For instance, in this entering the right query i.e. 2 , the correct result will be shown from the database. Figure2 But in SQL injection attack, the attacker has given wrong query i.e.17 OR with equality symbol, OR is always going to give the answer “1” and ultimately providing access to the database. Figure3
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 925 Even an attacker submitsaloginandpasswordthatlookslike Login: ‘ OR ‘‘=’’ Password: ‘ OR ‘’=’’ Select Username from userswhere Username=’’ OR ‘’=’’ AND Password= ‘’OR ‘’=’’ This query compares empty string with an empty string and resulting TRUE results and providingattackertobeloggedin. IV. Path Traversal The Path Traversal attack forces access to file and directories that reside outside the web document root directory. Any device which exposes HTTP based interface makes it potentially vulnerable to Path Traversal attack. The most basic path traversal attack uses “…/” character sequence to alter resource location requested in the URL. Path Traversal against a web server Attack: http://example/../../../../../some/file Attack:http://example/..%255c..%255c..%255csome/file Attack: http://example/..%u2216..%u2216some/file 3. Logical Attacks The logical attacks focus on the exploitation of web application’s logical flow. Few examples of application logics are password recovery, auction bidding,accountregistration and e-commerce purchases. I. Denial of Service Denial of Service attack prevents a website from serving normal user activities. Denial of Service attack is used to target any specific user, database server and the web server. An intruder can lock out anyspecific user by repeatedlylogin attempts, use of SQL injections to modify database system to make it unstable and buffer overflow technique to crash or fault the web server. 4. CONCLUSIONS Web applications have become most commonandwidely used communication medium for day-to-day activities. An attacker can easily attack any web application if there is any fault in its design, implementation or deployment. There are many ways through which an intruder can break into a system and weakenit.Thispaperdiscussedmostwidelyused web application vulnerabilities which intrude web application security. An increasing amount of logic and application codeis moving towardsclient sideasaresult,itis bringing new securitychallenges. The attacker is able to gain more knowledgeabout the application results in compriseof server side application state. REFERENCES [1] Web Application Security Consortium: Thread Conclusion version 1.0.0 by webappsec.org. [2] Classification of Web Application Vulnerabilities, Savita B. Chavan and Dr. B. B. Meshram, V.J.T.I, Mumbai, India V.J.T.I, Mumbai, India [3] A Survey on Server-side Approaches to Securing Web Applications XIAOWEI LI Vanderbilt University YUAN XUE VanderbiltUniversity [4] Web Application Vulnerabilities: A Survey, Vandana Dwivedi, Himanshu Yadav and Anurag JainRITS,Bhopal (India) [5] OWASP Top 10 Web Application Vulnerabilities.http:// www.applicure.com/blog/owasp-top-10-2010 [6] A. Klein. “Cross Site Scripting Explained” Technical report, Sanctum Inc., June 2002. [7] Open Web Application Security Project. The ten most critical Web application security vulnerabilities. http://umn.dl.sourceforge.net/sourceforge/ owasp/OWASPTopTen2004.pdf, 2004. [8] Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In Proc. POPL, 2006 [9] Security Code Review- Identifying Web Vulnerabilities by Kiran Maraju.

Recommended

COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarkingEditor Jacotech
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5Akhil Mittal
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 

Recommended

COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarkingEditor Jacotech
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5Akhil Mittal
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET Journal
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Sip 140208055023-phpapp02
Sip 140208055023-phpapp02Sip 140208055023-phpapp02
Sip 140208055023-phpapp02mark scott
 
XSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesXSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesCTM360
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSJournal For Research
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishingIJCSES Journal
 
Smart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemSmart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemIRJET Journal
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefoxReza Nurfachmi
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System AuthenticationIJERA Editor
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachDr. Ramchandra Mangrulkar
 
Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2SURBHI SAROHA
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDERIRJET Journal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 

More Related Content

What's hot

IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET Journal
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Sip 140208055023-phpapp02
Sip 140208055023-phpapp02Sip 140208055023-phpapp02
Sip 140208055023-phpapp02mark scott
 
XSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesXSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesCTM360
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSJournal For Research
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishingIJCSES Journal
 
Smart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemSmart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemIRJET Journal
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System AuthenticationIJERA Editor
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2SURBHI SAROHA
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 

What's hot (19)

IRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine LearningIRJET- Phishing Website Detection based on Machine Learning
IRJET- Phishing Website Detection based on Machine Learning
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Sip 140208055023-phpapp02
Sip 140208055023-phpapp02Sip 140208055023-phpapp02
Sip 140208055023-phpapp02
 
XSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesXSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilities
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishing
 
Smart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemSmart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal system
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System Authentication
 
A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing Tools
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 

Similar to IRJET- Survey on Web Application Vulnerabilities

A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDERIRJET Journal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIOSR Journals
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET Journal
 
Survey on detecting and preventing web application broken access control attacks
Survey on detecting and preventing web application broken access control attacksSurvey on detecting and preventing web application broken access control attacks
Survey on detecting and preventing web application broken access control attacksIJECEIAES
 
Phishing Website Detection Using Machine Learning
Phishing Website Detection Using Machine LearningPhishing Website Detection Using Machine Learning
Phishing Website Detection Using Machine LearningIRJET Journal
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Website vulnerability to session fixation attacks
Website vulnerability to session fixation attacksWebsite vulnerability to session fixation attacks
Website vulnerability to session fixation attacksAlexander Decker
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology EssayPamela Wright
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Break Loose Acting To Forestall Emulation Blast
Break Loose Acting To Forestall Emulation BlastBreak Loose Acting To Forestall Emulation Blast
Break Loose Acting To Forestall Emulation BlastIRJET Journal
 
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET Journal
 
Creation Of Social Group in Full Stack Progressive Apparel Purchasing Web App
Creation Of Social Group in Full Stack Progressive Apparel Purchasing Web AppCreation Of Social Group in Full Stack Progressive Apparel Purchasing Web App
Creation Of Social Group in Full Stack Progressive Apparel Purchasing Web AppIRJET Journal
 

Similar to IRJET- Survey on Web Application Vulnerabilities (20)

A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
 
Survey on detecting and preventing web application broken access control attacks
Survey on detecting and preventing web application broken access control attacksSurvey on detecting and preventing web application broken access control attacks
Survey on detecting and preventing web application broken access control attacks
 
Phishing Website Detection Using Machine Learning
Phishing Website Detection Using Machine LearningPhishing Website Detection Using Machine Learning
Phishing Website Detection Using Machine Learning
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Website vulnerability to session fixation attacks
Website vulnerability to session fixation attacksWebsite vulnerability to session fixation attacks
Website vulnerability to session fixation attacks
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
C01461422
C01461422C01461422
C01461422
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
Break Loose Acting To Forestall Emulation Blast
Break Loose Acting To Forestall Emulation BlastBreak Loose Acting To Forestall Emulation Blast
Break Loose Acting To Forestall Emulation Blast
 
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
 
Creation Of Social Group in Full Stack Progressive Apparel Purchasing Web App
Creation Of Social Group in Full Stack Progressive Apparel Purchasing Web AppCreation Of Social Group in Full Stack Progressive Apparel Purchasing Web App
Creation Of Social Group in Full Stack Progressive Apparel Purchasing Web App
 
web security
web securityweb security
web security
 

More from IRJET Journal

TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...IRJET Journal
 
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURESTUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTUREIRJET Journal
 
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...IRJET Journal
 
Effect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsEffect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsIRJET Journal
 
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...IRJET Journal
 
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...IRJET Journal
 
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...IRJET Journal
 
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...IRJET Journal
 
A REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASA REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASIRJET Journal
 
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...IRJET Journal
 
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProP.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProIRJET Journal
 
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...IRJET Journal
 
Survey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemSurvey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemIRJET Journal
 
Review on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesReview on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesIRJET Journal
 
React based fullstack edtech web application
React based fullstack edtech web applicationReact based fullstack edtech web application
React based fullstack edtech web applicationIRJET Journal
 
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...IRJET Journal
 
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.IRJET Journal
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...IRJET Journal
 
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignMultistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignIRJET Journal
 
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...IRJET Journal
 

More from IRJET Journal (20)

TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
 
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURESTUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
 
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
 
Effect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsEffect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil Characteristics
 
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
 
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
 
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
 
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
 
A REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASA REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADAS
 
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
 
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProP.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
 
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
 
Survey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemSurvey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare System
 
Review on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesReview on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridges
 
React based fullstack edtech web application
React based fullstack edtech web applicationReact based fullstack edtech web application
React based fullstack edtech web application
 
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
 
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
 
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignMultistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
 
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
 

Recently uploaded

microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingjaychoudhary37
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 

Recently uploaded (20)

microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacing
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 

IRJET- Survey on Web Application Vulnerabilities

  • 1. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 922 Survey on Web Application Vulnerabilities Yogesh Kumari Assistant Professor, Department of Computer Science, Shivaji College, Delhi University, New Delhi, India ---------------------------------------------------------------------***---------------------------------------------------------------------- Abstract - As in the last few years discovery of World Wide Web has grown rapidly. This has made web applications an important aspect to provide end users all the necessary features toaccess server functionality. Today, web application is one of the most widely used platforms to deliver information and services over Internet. Many WorldWideWebapplications are used in many security critical environments including medical, financial, e-commerce, military systems. A web application is the one that provides server functionality to its end users through a number of web pages. These web pages contain code that executes dynamically resulting client's queries. Although many techniques have been developed to fortify web applications and mitigate attacks towards web applications. Web applications are prone to attacks like browser hijacking, session riding,andcookietheft.Thispaperexplainstheworking of web applications and the existing security vulnerabilities possible in web applications. Key Words: Web application vulnerabilities, SQL injection, cross-side scripting 1. INTRODUCTION Today Internet has turned outtobean effectiveway of communication all over the world. Millions of businesses use Internet to exchange information with target market. It is also true that effective marketing is only possible when business is able to capture all the necessary informationand store it in an effective way so that later on, information can be processed with the accurate result to the end user. Web application utilizes web browsers and various web technologies to carry out task over the Internet. Web application includes shopping carts, online forms, spreadsheets, file conversion, photo and video editing,word processing, file processing and more. Web application can be accessed with the same version without any compatibility issues. Web applications run on multiple platforms regarding of device or the operating system. How Web Application Works? Web application uses client side script to present information to end users, using JavaScript and HTML. While server sidescripts are used to handle storage andretrievalof information using PHP and ASP. Through this only,endusers are capable to interact with any website which includes online forms, content management systems, shopping carts. Every web application requires a web server, application server and database. Web server is required to manage requests from clients. Application server is required to perform the query submitted by end user and database is used to store the information. Whenever a web server receives a request from an end user for any web page, the web server sends the page to the requesting browser and it passes the page to application server. The application server reads code on the page, performed the requested task like querying the database or processing any data and generates the accurate results. The result is passes back to web server by application server as static HTML page. At first, user sends the request to web server through application’s user interface or web browser. The same request is forwarded to web application server through web browser. Application server performs the task by requesting database server for any query, as soon as the query is processed, application server gets the results. Further, application server sends result to web server andwebserver respond back to the client with the results. Figure1: Working of Web Application
  • 2. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 923 2. BACKGROUND Over the last few years, web applications have turned out be a favoritesubject where attacks tends to attack.Cross-site scripting, cookie poisoning came in picture. For instance, when a website is vulnerable to cross-site scripting, it means user cookie can be theft. And if cookie has been compromised,attackercanperformsessionhijackingandcan have access onto user’s account. Thus, it is very important to understand what are the ways through which attacker can attackany website.Whatcouldbethepossiblevulnerabilities in any web application? 3. CLASSIFICATION OF WEB APPLICATION VULNERABILITIES There are various types of vulnerabilities that have been presented as a thread to any web application. The following classes of attacks are as follows: 3.1. Authentication The Authentication talks about the attack that targets the method of validating the identity of a user, anyapplicationor any service. Authentication can be performed by any of the mechanism like something you have, somethingyouknowor something you are. 1. Brute Force Brute force attack is a hit and trial method to guess the usernameor password. In this attackercangeneratemillions of thousands of incorrect guess. And if the brute force is successful, the attacker is able to access the account. 2. Insufficient Authentication Insufficient Authentication attack takesplacewhenevera web application provides access to get sensitive information or any functionality without properly authentication. If a resource is unknown to anattacker,itstillremainsaccessible through a specific URL. For instance, Most of the websites have been designed with administrative functionality provided in root directory /admin/. Though the directory is not linked to anywhere but it can still be accessed through a standard web browser. If somehow attacker visits this page, entire administrative access of the web application would be gone. 3. Weak Password Recovery Validation Any website tends to have weak password recovery validation when it permits anyone to illegally obtain, change or recover anyone’s password. It happens when any information which is required to validate user’s identity can be circumvented. There are various ways through which password recovery systems can be compromised, such as brute force attacks, easily guessed secret questions. For instance, in many cases, website provides hint to remind users of their password.Somewebsitesrequestusers to provide email address with the combination of the phone number. Such information can be easily gained through online white pages. 3.2 Authorization Authorization section includes attacks that target web application’s method of determining if the user has permissions in order to perform a specific task or request. There are various techniques through which an attacker can fool a web site into increasing their privileges to gain protected information. 1. Session Prediction Websites are designed in such a way that a user connection is established by providing correct credentials in order to authenticate and track a user. Websites generate unique session ID to identify user session as authenticated. So, session ID is the proof and if this session ID is somehow gained by attacker, fraudulent activates are possible. 2. Insufficient Session Expiration If any web application provides access via old session credentialsorsessionID,attackercangainaccess.Insufficient session expiration increases web application exposure through which attacker can attack or steal any user’s personal information. A stolen session ID can be used to perform any fraudulent transaction. If the expiration time of session is more, more is the chances that attacker will guess the valid session ID. Such expiration can be exploitedtoview user’s activity over Internet. 3. Session Fixation Session Fixation is another technique of attack in which user’s session ID is given an explicit value. A number of techniques are used to fix the session ID value depending on the functionality of target website. Once the value is fixed, attacker wait for legitimate user to login. Once login credentials are given to successful login, the attacker uses predefined session ID value. 4. Insufficient Authorization When a website permits an end user to access sensitive data that shouldrequireincreasedaccesscontrolrestrictions. Even if a user is authenticated, full access of sensitivecontent and functionality must not be granted. For instance, many websites store administrative content and functionality in directory /admin and /log. If an attacker gets the access of these directories,theentireinformationcanbecompromised. 3.3 Client-Side Attacks The client side attacks basically focuses on the exploitation of website’s users.
  • 3. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 924 1. Content Spoofing Content Spoofing is an attack technique that permits an attacker to inject malicious code which later can be misrepresented as the legitimate content of any web application. For instance, <HTML> <FRAMESET COLS=”100, *”> <FRAME NAME=”pr_menu” SRC=”menu.html”> <FRAME NAME=”pr_content SRC=”http://foo.example/pr/01012003.html> </FRAMSET> </HTML> In this code, if an attacker altered the URL to http://foo.example/pr?pg=http://attacker.example/sp oofed_press_release.html? <HTML> <FRAMESET COLS=”100, *”> <FRAME NAME=”pr_menu” SRC=”menu.html”> <FRAME NAME=”pr_content SRC=” http://attacker.example/spoofed_press_release.html”> </FRAMESET> </HTML> I. Cross-Site Scripting Cross-site scripting is an attack technique in which attacker’s supplied executable code is echoed through any web application. Persistentandnonpersistentattacksarethe two cross-site scripting attack. In non-persistent attack, end user is required tovisitcraftedlinklacedwithmaliciouscode. Once the link is clicked, the code is embedded in the URL and executed within user’s web browser. Whereas, in case of persistent attack, malicious code is submitted to website where it is stored for a period of time. 2. Command Execution In this section, attacks are covered which are designed to execute remote commands on any web application. I. Buffer Overflow Buffer overflow occurs when data written to a memory exceeds the allocated size of the buffer. Once the buffer is overflow, it can cause the software to crash or fault. Buffer overflow also used as denial of service attack when memory is corrupted resulting as software failure. II. OS Commands In this type of attack, Operating system commands are used to exploit website through manipulation of application input. For instance, exec("ls -la $dir",$lines,$rc); While executing Shellcommand,appending(;)semicoloncan force the web application into executing second command http://example/directory.php?dir=%3Bcat%20/etc/pass Retrieving the content of /etc/passwd file. III. SQL Injections In SQL injection attack, attacker sends the malicious input through application interfaceandqueriesareexecutedin the database giving attacker the control over the database. For instance, in this entering the right query i.e. 2 , the correct result will be shown from the database. Figure2 But in SQL injection attack, the attacker has given wrong query i.e.17 OR with equality symbol, OR is always going to give the answer “1” and ultimately providing access to the database. Figure3
  • 4. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 09 | Sep 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 925 Even an attacker submitsaloginandpasswordthatlookslike Login: ‘ OR ‘‘=’’ Password: ‘ OR ‘’=’’ Select Username from userswhere Username=’’ OR ‘’=’’ AND Password= ‘’OR ‘’=’’ This query compares empty string with an empty string and resulting TRUE results and providingattackertobeloggedin. IV. Path Traversal The Path Traversal attack forces access to file and directories that reside outside the web document root directory. Any device which exposes HTTP based interface makes it potentially vulnerable to Path Traversal attack. The most basic path traversal attack uses “…/” character sequence to alter resource location requested in the URL. Path Traversal against a web server Attack: http://example/../../../../../some/file Attack:http://example/..%255c..%255c..%255csome/file Attack: http://example/..%u2216..%u2216some/file 3. Logical Attacks The logical attacks focus on the exploitation of web application’s logical flow. Few examples of application logics are password recovery, auction bidding,accountregistration and e-commerce purchases. I. Denial of Service Denial of Service attack prevents a website from serving normal user activities. Denial of Service attack is used to target any specific user, database server and the web server. An intruder can lock out anyspecific user by repeatedlylogin attempts, use of SQL injections to modify database system to make it unstable and buffer overflow technique to crash or fault the web server. 4. CONCLUSIONS Web applications have become most commonandwidely used communication medium for day-to-day activities. An attacker can easily attack any web application if there is any fault in its design, implementation or deployment. There are many ways through which an intruder can break into a system and weakenit.Thispaperdiscussedmostwidelyused web application vulnerabilities which intrude web application security. An increasing amount of logic and application codeis moving towardsclient sideasaresult,itis bringing new securitychallenges. The attacker is able to gain more knowledgeabout the application results in compriseof server side application state. REFERENCES [1] Web Application Security Consortium: Thread Conclusion version 1.0.0 by webappsec.org. [2] Classification of Web Application Vulnerabilities, Savita B. Chavan and Dr. B. B. Meshram, V.J.T.I, Mumbai, India V.J.T.I, Mumbai, India [3] A Survey on Server-side Approaches to Securing Web Applications XIAOWEI LI Vanderbilt University YUAN XUE VanderbiltUniversity [4] Web Application Vulnerabilities: A Survey, Vandana Dwivedi, Himanshu Yadav and Anurag JainRITS,Bhopal (India) [5] OWASP Top 10 Web Application Vulnerabilities.http:// www.applicure.com/blog/owasp-top-10-2010 [6] A. Klein. “Cross Site Scripting Explained” Technical report, Sanctum Inc., June 2002. [7] Open Web Application Security Project. The ten most critical Web application security vulnerabilities. http://umn.dl.sourceforge.net/sourceforge/ owasp/OWASPTopTen2004.pdf, 2004. [8] Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In Proc. POPL, 2006 [9] Security Code Review- Identifying Web Vulnerabilities by Kiran Maraju.