This document discusses clickjacking attacks, which hijack users' clicks to perform unintended actions. It provides an overview of clickjacking, describes different types of attacks, and analyzes vulnerabilities that make websites susceptible. Experiments are conducted on a sample social networking site, applying various clickjacking techniques. Potential defenses are tested, including X-Frame-Options headers and frame busting code. A proposed solution detects transparent iframes to warn users and check for hidden mouse pointers to mitigate cursorjacking. Analysis of top Jammu and Kashmir websites found most were vulnerable, while browser behavior studies showed varying support for defenses.
Dominating headlines for the past year, SQLi has become a widely-known, even outside the circle of security professionals. And for good reason: SQL injection is probably the most expensive and costly attack since it is mainly used to steal data. Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. This report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
Dominating headlines for the past year, SQLi has become a widely-known, even outside the circle of security professionals. And for good reason: SQL injection is probably the most expensive and costly attack since it is mainly used to steal data. Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. This report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009, qui è presentato un sommario dello Studio.
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
Phishing is a growing threat to Internet users and causes billions of dollars in damage every year. While there are a number of research articles that study the tactics, techniques and procedures employed by phishers in the literature, in this paper, we present a theoretical yet practical model to study this menacing threat in a formal manner. While it is common folklore knowledge that a successful phishing attack entails creating messages that are indistinguishable from the natural, expected messages by the intended victim, this concept has not been formalized. Our model attempts to capture a phishing attack in terms of this indistinguishability between the natural and phishing message probability distributions. We view the actions performed by a phisher as an attempt to create messages that are indistinguishable to the victim from that of “normal” messages. To the best of our knowledge, this is the first study that places phishing on a concrete theoretical framework and offers a new perspective to analyze this threat. We propose metrics to analyze the success probability of a phishing attack taking into account the input used by a phisher and the work involved in creating deceptive email messages. Finally, we study and apply our model to a new class of phishing attacks called collaborative spear phishing that is gaining momentum. Recent examples include Operation Woolen-Goldfish in 2015, Rocket Kitten in 2014 and Epsilon email breach in 2011. We point out fundamental flaws in the current email-based marketing business model which enables such targeted spear phishing collaborative attacks. In this sense, our study is very timely and presents new and emerging trends in phishing.
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
TUBITAK National Research Institute of Electronics and Cryptology (UEKAE) Department of Information Systems Security makes social engineering attacks to Turkish public agencies within the frame of “Information Security Tests” [19]. This paper will make an analysis of the social engineering tests that have been carried out in several Turkish public agencies. The tests include phone calling to sample employees by the social engineer and trying to seize employees’ sensitive information by exploiting their good faith. The aim of this research is to figure that the employees in Turkish public agencies have a lack of information security awareness and they compromise the information security principles which should be necessarily applied for any public agencies. Social engineering, both with its low cost and ability to take advantage of low technology, has taken its place in the information security literature as a very effective form of attack [8].
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
Third-party apps are a major reason for the popularity and addictiveness of Online Social Network. However little is
understood about the characteristics of malicious apps and how they operate. Malicious apps are much more likely to share
names with other apps, and they typically request fewer permissions than benign apps. We will propose MADE – a Malicious
Application Detector and Evaluator that will do two major things. Firstly, we will find the malicious apps often share names
with other apps, and they typically request fewer permissions than benign apps. Secondly, leveraging these distinguishing
features, we show that MADE can detect malicious apps with certain accuracy. We will also highlight the emergence of appnets and will keep continue to dig deeper.
Research Article On Web Application SecuritySaadSaif6
This Is The Totally Hand Written Research Article On
Web Application Security
(Improving Critical Web-based Applications Quality Through In depth Security Analysis)
This Research Article Was Made By Me After The Hard Working Of One Month. Its Best And Suitable For Your Research Paper And Also Used In Class For Present It And For Submission.
August was a big month for zero-day vulnerabilities, in which a total of 11 were reported. This is by far the largest number disclosed in a given month to-date.
Six of these zero-day vulnerabilities impact industrial control systems, devices used in industrial sectors and critical infrastructures, across five vendors. The vulnerabilities cover a wide range of possible attacks, including remote code execution and denial of service attacks.
Two further zero-day vulnerabilities were discovered in the Apple OS X operating system. When used in tandem, these two vulnerabilities can cause memory corruption in the OS X kernel and gain the attacker escalated privileges on the compromised computer.
These vulnerabilities come on the heels of a new OS X threat called OSX.Sudoprint. This threat exploits a local privilege escalation vulnerability in the OS X operating system, which was patched by Apple at the beginning of August. This threat comprised over 77 percent of the OS X threats we saw on OS X endpoints this month.
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
The development of attack toolkits conforms that cybercrime is driven primarily by financial motivations as noted from the significant profits made by both the developers and buyers. In this paper, an enhanced hybrid attack toolkit mitigation model was designed to tackle the economy of the attack toolkits using different techniques to discredit it. The mitigation looked into Zeus, a common and the most frequently used attack toolkit to discover the hidden information used by the attackers to launch attacks. This information helped in creating honey toolkits, honeybot and honeytokens. Honeybots are used to submit honeytoken to botmasters, who sells to the internet black market. Both the botmasters, his mules and buyers attempts to steal huge amount of money using the stolen credentials which includes both real and honeytokens and will be detected by an attack detector which sends an alert on any transaction involving the honeytokens. A reconfirmation process which is secured using enhanced RC6 cryptosystem is enacted. The reconfirmation message in plain text is securely encrypted into cipher text and transmitted from the bank to the legitimate account owner and vise visa. The result of the crypto analysis carried out on the encrypted text using RC6 encryption algorithm showed that the cipher text is not transparent.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009, qui è presentato un sommario dello Studio.
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
Phishing is a growing threat to Internet users and causes billions of dollars in damage every year. While there are a number of research articles that study the tactics, techniques and procedures employed by phishers in the literature, in this paper, we present a theoretical yet practical model to study this menacing threat in a formal manner. While it is common folklore knowledge that a successful phishing attack entails creating messages that are indistinguishable from the natural, expected messages by the intended victim, this concept has not been formalized. Our model attempts to capture a phishing attack in terms of this indistinguishability between the natural and phishing message probability distributions. We view the actions performed by a phisher as an attempt to create messages that are indistinguishable to the victim from that of “normal” messages. To the best of our knowledge, this is the first study that places phishing on a concrete theoretical framework and offers a new perspective to analyze this threat. We propose metrics to analyze the success probability of a phishing attack taking into account the input used by a phisher and the work involved in creating deceptive email messages. Finally, we study and apply our model to a new class of phishing attacks called collaborative spear phishing that is gaining momentum. Recent examples include Operation Woolen-Goldfish in 2015, Rocket Kitten in 2014 and Epsilon email breach in 2011. We point out fundamental flaws in the current email-based marketing business model which enables such targeted spear phishing collaborative attacks. In this sense, our study is very timely and presents new and emerging trends in phishing.
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
TUBITAK National Research Institute of Electronics and Cryptology (UEKAE) Department of Information Systems Security makes social engineering attacks to Turkish public agencies within the frame of “Information Security Tests” [19]. This paper will make an analysis of the social engineering tests that have been carried out in several Turkish public agencies. The tests include phone calling to sample employees by the social engineer and trying to seize employees’ sensitive information by exploiting their good faith. The aim of this research is to figure that the employees in Turkish public agencies have a lack of information security awareness and they compromise the information security principles which should be necessarily applied for any public agencies. Social engineering, both with its low cost and ability to take advantage of low technology, has taken its place in the information security literature as a very effective form of attack [8].
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
Third-party apps are a major reason for the popularity and addictiveness of Online Social Network. However little is
understood about the characteristics of malicious apps and how they operate. Malicious apps are much more likely to share
names with other apps, and they typically request fewer permissions than benign apps. We will propose MADE – a Malicious
Application Detector and Evaluator that will do two major things. Firstly, we will find the malicious apps often share names
with other apps, and they typically request fewer permissions than benign apps. Secondly, leveraging these distinguishing
features, we show that MADE can detect malicious apps with certain accuracy. We will also highlight the emergence of appnets and will keep continue to dig deeper.
Research Article On Web Application SecuritySaadSaif6
This Is The Totally Hand Written Research Article On
Web Application Security
(Improving Critical Web-based Applications Quality Through In depth Security Analysis)
This Research Article Was Made By Me After The Hard Working Of One Month. Its Best And Suitable For Your Research Paper And Also Used In Class For Present It And For Submission.
August was a big month for zero-day vulnerabilities, in which a total of 11 were reported. This is by far the largest number disclosed in a given month to-date.
Six of these zero-day vulnerabilities impact industrial control systems, devices used in industrial sectors and critical infrastructures, across five vendors. The vulnerabilities cover a wide range of possible attacks, including remote code execution and denial of service attacks.
Two further zero-day vulnerabilities were discovered in the Apple OS X operating system. When used in tandem, these two vulnerabilities can cause memory corruption in the OS X kernel and gain the attacker escalated privileges on the compromised computer.
These vulnerabilities come on the heels of a new OS X threat called OSX.Sudoprint. This threat exploits a local privilege escalation vulnerability in the OS X operating system, which was patched by Apple at the beginning of August. This threat comprised over 77 percent of the OS X threats we saw on OS X endpoints this month.
A Mitigation Technique For Internet Security Threat of Toolkits AttackCSCJournals
The development of attack toolkits conforms that cybercrime is driven primarily by financial motivations as noted from the significant profits made by both the developers and buyers. In this paper, an enhanced hybrid attack toolkit mitigation model was designed to tackle the economy of the attack toolkits using different techniques to discredit it. The mitigation looked into Zeus, a common and the most frequently used attack toolkit to discover the hidden information used by the attackers to launch attacks. This information helped in creating honey toolkits, honeybot and honeytokens. Honeybots are used to submit honeytoken to botmasters, who sells to the internet black market. Both the botmasters, his mules and buyers attempts to steal huge amount of money using the stolen credentials which includes both real and honeytokens and will be detected by an attack detector which sends an alert on any transaction involving the honeytokens. A reconfirmation process which is secured using enhanced RC6 cryptosystem is enacted. The reconfirmation message in plain text is securely encrypted into cipher text and transmitted from the bank to the legitimate account owner and vise visa. The result of the crypto analysis carried out on the encrypted text using RC6 encryption algorithm showed that the cipher text is not transparent.
SQL Vulnerability Prevention in Cybercrime using Dynamic Evaluation of Shell and Remote File Injection Attacks R. Ravi,
Department of Computer Science & Engineering,
Francis Xavier Engineering College, Tamil Nadu, India
Dr. Beulah Shekhar,
Department of Criminology,
Manonmanium Sundaranar University, Tamil Nadu, India
THREATS AND OPPORTUNITIES WITH AI-BASED CYBER SECURITY INTRUSION DETECTION: A...ijseajournal
Internet usage has increased quickly, particularly in the previous decade. With the widespread use of the
internet, cybercrime is growing at an alarming rate in our daily lives. However, with the growth of
artificial intelligence (AI), businesses are concentrating more on preventing cybercrime. AI is becoming an
essential component of every business, affecting individuals worldwide. Cybercrime is one of the most
prominent domains where AI has begun demonstrating valuable inputs. As a result, AI is being deployed as
the first line of defense in most firms' systems. Because AI can detect new assaults faster than humans, it is
the best alternative for constructing better protection against cybercrime. AI technologies also offer more
significant potential in the development of such technology. This paper discusses recent cyber intrusions
and how the AI-enabled industry is preparing to defend itself in the long run.
Effect of Sociability and Curiosity of Senior Developers in Building Agile Sc...ijseajournal
This paper aims to investigate the mechanisms that contribute to propagation of competence in an Agile Scrum team. This study seeks to challenge the traditional view of bounded rationality (BR). An Agile Scrum team (Team) is expected to build problem solving competence quickly as the expected ramp up time continues to shrink. But the team has a mixture of expertise, competence and sociability levels that affect out-of-the-box performance. The objective is to expand BR into the social realm and see how teams can self-organize and reconfigure to allow effective problem solving. Studies have shown that agent-based computational simulation is an appropriate technique to explore this point from a theoretical perspective. (Fioretti, 2013) (Secchi, 2015). The first step is to define the problem, discuss how senior team members exhibit high curiosity and apply sociability and cognitive resources to develop overall team competence. This dynamic is modeled and simulated in NetLogoR and the results are analyzed. Finally, some key findings are presented and discussed.
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
Malware is an application that is harmful to your forensic information. Basically, malware analyses is the process of analysing the behaviours of malicious code and then create signatures to detect and defend against it.Malware, such as Trojan horse, Worms and Spyware severely threatens the forensic security. This research observed that although malware and its variants may vary a lot from content signatures, they share some behaviour features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the various techniques of malware behaviour extraction and analysis. In addition, we discuss the implications of malware analysis tools for malware detection based on various techniques.
Credential Harvesting Using Man in the Middle Attack via Social Engineeringijtsrd
With growing internet users threat landscape is also increasing widely. Even following standard security policies and using multiple security layers will not keep users safe unless they are well aware of the emerging cyber threats and the risks involved. Humans are the weakest link in the security system as they possess emotions that can be exploited with minimum reconnaissance. social engineering is a type of cyber attack where it exploits human behavior or emotions to collect sensitive information such as username, password, personal details, etc. This paper proposes a system that helps end users to understand that even using security mechanisms such as two factor authentication can be useless when the user is not aware of basic security elements and make internet users aware of cyber threats and the risk involved. Sudhakar P | Dr. Uma Rani Chellapandy "Credential Harvesting Using Man in the Middle Attack via Social Engineering" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49629.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49629/credential-harvesting-using-man-in-the-middle-attack-via-social-engineering/sudhakar-p
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
Social engineering is a major threat to organizations as more and more companies digitize operations and increase connectivity through the internet. After defining social engineering and the problems it presents, this study offers a critical review of existing protection measures, tools, and policies for organizations to combat cyber security social engineering. Through a systematic review of recent studies published on the subject, our analysis identifies the need to provide training for employees to ensure they understand the risks of social engineering and how best to avoid becoming a victim. Protection measures include awareness programs, training of non-technical staff members, new security networks, software usage, and security protocols to address social engineering threats.
Content-Based Image Retrieval (CBIR) systems have been used for the searching of relevant images in various research areas. In CBIR systems features such as shape, texture and color are used. The extraction of features is the main step on which the retrieval results depend. Color features in CBIR are used as in the color histogram, color moments, conventional color correlogram and color histogram. Color space selection is used to represent the information of color of the pixels of the query image. The shape is the basic characteristic of segmented regions of an image. Different methods are introduced for better retrieval using different shape representation techniques; earlier the global shape representations were used but with time moved towards local shape representations. The local shape is more related to the expressing of result instead of the method. Local shape features may be derived from the texture properties and the color derivatives. Texture features have been used for images of documents, segmentation-based recognition,and satellite images. Texture features are used in different CBIR systems along with color, shape, geometrical structure and sift features.
Performance Analysis of Audio and Video Synchronization using Spreaded Code D...Eswar Publications
The audio and video synchronization plays an important role in speech recognition and multimedia communication. The audio-video sync is a quite significant problem in live video conferencing. It is due to use of various hardware components which introduces variable delay and software environments. The objective of the synchronization is used to preserve the temporal alignment between the audio and video signals. This paper proposes the audio-video synchronization using spreading codes delay measurement technique. The performance of the proposed method made on home database and achieves 99% synchronization efficiency. The audio-visual
signature technique provides a significant reduction in audio-video sync problems and the performance analysis of audio and video synchronization in an effective way. This paper also implements an audio- video synchronizer and analyses its performance in an efficient manner by synchronization efficiency, audio-video time drift and audio-video delay parameters. The simulation result is carried out using mat lab simulation tools and simulink. It is automatically estimating and correcting the timing relationship between the audio and video signals and maintaining the Quality of Service.
Due to the availability of complicated devices in industry, models for consumers at lower cost of resources are developed. Home Automation systems have been developed by several researchers. The limitations of home automation includes complexity in architecture, higher costs of the equipment, interface inflexibility. In this paper as we have proposed, the working protocol of PIC 16F72 technology is which is secure, cost efficient, flexible that leads to the development of efficient home automation systems. The system is operational to control various home appliances like fans, Bulbs, Tube light. The following paper describes about components used and working of all components connected. The home automation system makes use of Android app entitled “Home App” which gives
flexibility and easy to use GUI.
Semantically Enchanced Personalised Adaptive E-Learning for General and Dysle...Eswar Publications
E-learning plays an important role in providing required and well formed knowledge to a learner. The medium of e- learning has achieved advancement in various fields such as adaptive e-learning systems. The need for enhancing e-learning semantically can enhance the retrieval and adaptability of the learning curriculum. This paper provides a semantically enhanced module based e-learning for computer science programme on a learnercentric perspective. The learners are categorized based on their proficiency for providing personalized learning environment for users. Learning disorders on the platform of e-learning still require lots of research. Therefore, this paper also provides a personalized assessment theoretical model for alphabet learning with learning objects for
children’s who face dyslexia.
Agriculture plays an important role in the economy of our country. Over 58 percent of the rural households depend on the agriculture sector as their means of livelihood. Agriculture is one of the major contributors to Gross Domestic Product(GDP). Seeds are the soul of agriculture. This application helps in reducing the time for the researchers as well as farmers to know the seedling parameters. The application helps the farmers to know about the percentage of seedlings that will grow and it is very essential in estimating the yield of that particular crop. Manual calculation may lead to some error, to minimize that error, the developed app is used. The scientist and farmers require the app to know about the physiological seed quality parameters and to take decisions regarding their farming activities. In this article a desktop app for seed germination percentage and vigour index calculation are developed in PHP scripting language.
What happens when adaptive video streaming players compete in time-varying ba...Eswar Publications
Competition among adaptive video streaming players severely diminishes user-QoE. When players compete at a bottleneck link many do not obtain adequate resources. This imbalance eventually causes ill effects such as screen flickering and video stalling. There have been many attempts in recent years to overcome some of these problems. However, added to the competition at the bottleneck link there is also the possibility of varying network bandwidth which can make the situation even worse. This work focuses on such a situation. It evaluates current heuristic adaptive video players at a bottleneck link with time-varying bandwidth conditions. Experimental setup includes the TAPAS player and emulated network conditions. The results show PANDA outperforms FESTIVE, ELASTIC and the Conventional players.
WLI-FCM and Artificial Neural Network Based Cloud Intrusion Detection SystemEswar Publications
Security and Performance aspects of cloud computing are the major issues which have to be tended to in Cloud Computing. Intrusion is one such basic and imperative security problem for Cloud Computing. Consequently, it is essential to create an Intrusion Detection System (IDS) to detect both inside and outside assaults with high detection precision in cloud environment. In this paper, cloud intrusion detection system at hypervisor layer is developed and assesses to detect the depraved activities in cloud computing environment. The cloud intrusion detection system uses a hybrid algorithm which is a fusion of WLI- FCM clustering algorithm and Back propagation artificial Neural Network to improve the detection accuracy of the cloud intrusion detection system. The proposed system is implemented and compared with K-means and classic FCM. The DARPA’s KDD cup dataset 1999 is used for simulation. From the detailed performance analysis, it is clear that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate.
Spreading Trade Union Activities through Cyberspace: A Case StudyEswar Publications
This report present the outcome of an investigative research conducted to examine the modu-operandi of academic staff union of polytechnics (ASUP) YabaTech. The investigation covered the logistics and cost implication for spreading union activities among members. It was discovered that cost of management and dissemination of information to members was at high side, also logistics problem constitutes to loss of information in transit hence cut away some members from union activities. To curtail the problem identified, we proposed the
design of secure and dynamic website for spreading union activities among members and public. The proposed system was implemented using HTML5 technology, interface frameworks like Bootstrap and j query which enables the responsive feature of the application interface. The backend was designed using PHPMYSQL. It was discovered from the evaluation of the new system that cost of managing information has reduced considerably, and logistic problems identified in the old system has become a forgotten issue.
Identifying an Appropriate Model for Information Systems Integration in the O...Eswar Publications
Nowadays organizations are using information systems for optimizing processes in order to increase coordination and interoperability across the organizations. Since Oil and Gas Industry is one of the large industries in whole of the world, there is a need to compatibility of its Information Systems (IS) which consists three categories of systems: Field IS, Plant IS and Enterprise IS to create interoperability and approach the
optimizing processes as its result. In this paper we introduce the different models of information systems integration, identify the types of information systems that are using in the upstream and downstream sectors of petroleum industry, and finally based on expert’s opinions will identify a suitable model for information systems integration in this industry.
Link-and Node-Disjoint Evaluation of the Ad Hoc on Demand Multi-path Distance...Eswar Publications
This work illustrates the AOMDV routing protocol. Its ancestor, the AODV routing protocol is also described. This tutorial demonstrates how forward and reverse paths are created by the AOMDV routing protocol. Loop free paths formulation is described, together with node and link disjoint paths. Finally, the performance of the AOMDV routing protocol is investigated along link and node disjoint paths. The WSN with the AOMDV routing protocol using link disjoint paths is better than the WSN with the AOMDV routing protocol using node disjoint paths for energy consumption.
Bridging Centrality: Identifying Bridging Nodes in Transportation NetworkEswar Publications
To identify the importance of node of a network, several centralities are used. Majority of these centrality measures are dominated by components' degree due to their nature of looking at networks’ topology. We propose a centrality to identification model, bridging centrality, based on information flow and topological aspects. We apply bridging centrality on real world networks including the transportation network and show that the nodes distinguished by bridging centrality are well located on the connecting positions between highly connected regions. Bridging centrality can discriminate bridging nodes, the nodes with more information flowed through them and locations between highly connected regions, while other centrality measures cannot.
Now a days we are living in an era of Information Technology where each and every person has to become IT incumbent either intentionally or unintentionally. Technology plays a vital role in our day to day life since last few decades and somehow we all are depending on it in order to obtain maximum benefit and comfort. This new era equipped with latest advents of technology, enlightening world in the form of Internet of Things (IoT). Internet of things is such a specified and dignified domain which leads us to the real world scenarios where each object can perform some task while communicating with some other objects. The world with full of devices, sensors and other objects which will communicate and make human life far better and easier than ever. This paper provides an overview of current research work on IoT in terms of architecture, a technology used and applications. It also highlights all the issues related to technologies used for IoT, after the literature review of research work. The main purpose of this survey is to provide all the latest technologies, their corresponding
trends and details in the field of IoT in systematic manner. It will be helpful for further research.
Automatic Monitoring of Soil Moisture and Controlling of Irrigation SystemEswar Publications
In past couple of decades, there is immediate growth in field of agricultural technology. Utilization of proper method of irrigation by drip is very reasonable and proficient. A various drip irrigation methods have been proposed, but they have been found to be very luxurious and dense to use. The farmer has to maintain watch on irrigation schedule in the conventional drip irrigation system, which is different for different types of crops. In remotely monitored embedded system for irrigation purposes have become a new essential for farmer to accumulate his energy, time and money and will take place only when there will be requirement of water. In this approach, the soil test for chemical constituents, water content, and salinity and fertilizer requirement data collected by wireless and processed for better drip irrigation plan. This paper reviews different monitoring systems and proposes an automatic monitoring system model using Wireless Sensor Network (WSN) which helps the farmer to improve the yield.
Multi- Level Data Security Model for Big Data on Public Cloud: A New ModelEswar Publications
With the advent of cloud computing the big data has emerged as a very crucial technology. The certain type of cloud provides the consumers with the free services like storage, computational power etc. This paper is intended to make use of infrastructure as a service where the storage service from the public cloud providers is going to leveraged by an individual or organization. The paper will emphasize the model which can be used by anyone without any cost. They can store the confidential data without any type of security issue, as the data will be altered
in such a way that it cannot be understood by the intruder if any. Not only that but the user can retrieve back the original data within no time. The proposed security model is going to effectively and efficiently provide a robust security while data is on cloud infrastructure as well as when data is getting migrated towards cloud infrastructure or vice versa.
Impact of Technology on E-Banking; Cameroon PerspectivesEswar Publications
The financial services industry is experiencing rapid changes in services delivery and channels usage, and financial companies and users of financial services are looking at new technologies as they emerge and deciding whether or not to embrace them and the new opportunities to save and manage enormous time, cost and stress.
There is no doubt about the favourable and manifold impact of technology on e-banking as pictured in this review paper, almost all banks are with the least and most access e-banking Technological equipments like ATMs and Cards. On the other Hand cheap and readily available technology has opened a favourable competition in ebanking services business with a lot of wide range competitors competing with Commercial Banks in Cameroon in providing digital financial services.
Classification Algorithms with Attribute Selection: an evaluation study using...Eswar Publications
Attribute or feature selection plays an important role in the process of data mining. In general the data set contains more number of attributes. But in the process of effective classification not all attributes are relevant.
Attribute selection is a technique used to extract the ranking of attributes. Therefore, this paper presents a comparative evaluation study of classification algorithms before and after attribute selection using Waikato Environment for Knowledge Analysis (WEKA). The evaluation study concludes that the performance metrics of the classification algorithm, improves after performing attribute selection. This will reduce the work of processing irrelevant attributes.
Mining Frequent Patterns and Associations from the Smart meters using Bayesia...Eswar Publications
In today’s world migration of people from rural areas to urban areas is quite common. Health care services are one of the most challenging aspect that is must require to the people with abnormal health. Advancements in the technologies lead to build the smart homes, which contains various sensor or smart meter devices to automate the process of other electronic device. Additionally these smart meters can be able to capture the daily activities of the patients and also monitor the health conditions of the patients by mining the frequent patterns and
association rules generated from the smart meters. In this work we proposed a model that is able to monitor the activities of the patients in home and can send the daily activities to the corresponding doctor. We can extract the frequent patterns and association rules from the log data and can predict the health conditions of the patients and can give the suggestions according to the prediction. Our work is divided in to three stages. Firstly, we used to record the daily activities of the patient using a specific time period at three regular intervals. Secondly we applied the frequent pattern growth for extracting the association rules from the log file. Finally, we applied k means clustering for the input and applied Bayesian network model to predict the health behavior of the patient and precautions will be given accordingly.
Network as a Service Model in Cloud Authentication by HMAC AlgorithmEswar Publications
Resource pooling on internet-based accessing on use as pay environmental technology and ruled in IT field is the
cloud. Present, in every organization has trusted the web, however, the information must flow but not hold the
data. Therefore, all customers have to use the cloud. While the cloud progressing info by securing-protocols. Third
party observing and certain circumstances directly stale in flow and kept of packets in the virtual private cloud.
Global security statistics in the year 2017, hacking sensitive information in cloud approximately maybe 75.35%,
and the world security analyzer said this calculation maybe reached to 100%. For this cause, this proposed
research work concentrates on Authentication-Message-Digest-Key with authentication in routing the Network as
a Service of packets in OSPF (Open Shortest Path First) implementing Cloud with GNS3 has tested them to
securing from attackers.
Microstrip patch antennas are recently used in wireless detection applications due to their low power consumption, low cost, versatility, field excitation, ease of fabrication etc. The microstrip patch antennas are also called as printed antennas which is suffer with an array elements of antenna and narrow bandwidth. To overcome the above drawbacks, Flame Retardant Material is used as the substrate. Rectangular shape of microstrip patch antenna with FR4 material as the substrate which is more suitable for the explosive detection applications. The proposed printed antenna was designed with the dimension of 60 x 60 mm2. FR-4 material has a dielectric constant value of 4.3 with thickness 1.56 mm, length and width 60 mm and 60 mm respectively. One side of the substrate contains the ground plane of dimensions 60 x60 mm2 made of copper and the other side of the substrate contains the patch which have dimensions 34 x 29 mm2 and thickness 0.03mm which is also made of copper. RMPA without slot, Vertical slot RMPA, Double horizontal slot RMPA and Centre slot RMPA structures were
designed and the performance of the antennas were analysed with various parameters such as gain, directivity, Efield, VSWR and return loss. From the performance analysis, double horizontal slot RMPA antenna provides a better result and it provides maximum gain (8.61dB) and minimum return loss (-33.918dB). Based on the E-field excitation value the SEMTEX explosive material is detected and it was simulated using CST software.
Bandwidth Estimation Techniques for Relative ‘Fair’ Sharing in DASHEswar Publications
In the adaptive video streaming (AVS) literature the term fair sharing has been used to describe equal amounts of bandwidth allocated to adaptive client players. However, we argue that even though bandwidth sharing is an important aspect in some problems the same does not apply to AVS. Here the term relative ‘fair’ sharing is more applicable. The reason is that videos have different quality levels and will require differing amounts of the bandwidth to satisfy their needs. A 90% to 10% sharing may be sufficient for two players, one with high demands and the other with low demands. A 50% sharing may lead the player with the high bandwidth demand to get too little of the needed bandwidth resource. In addition, channel conditions may lead to players requiring different amount of bandwidth. Again, the concept of fair sharing has to be extended to relative ‘fair’ sharing for such scenarios. Hence, bandwidth estimation techniques players use to estimate the network bandwidth is very important in segment selection. A player utilizes one of the many techniques to determine what share of the bandwidth it can utilize among competing players. In this paper we explore some of the techniques used in state of-the-art players in their attempt to obtain a ‘fair’ share of the network bandwidth.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
1. Int. J. Advanced Networking and Applications
Volume: 10 Issue: 01 Pages: 3735-3740 (2018) ISSN: 0975-0290
3735
Clickjacking Attack: Hijacking User’s Click
Kokila Jamwal
M.Tech. Student (4th
Sem.)
Department of Computer Science & IT, University of Jammu, J & K, India
Email: kokilajamwal@gmail.com
Lalit Sen Sharma
Professor
Department of Computer Science & IT, University of Jammu, J & K, India
Email: lalitsen.sharma@gmail.com
-------------------------------------------------------------------ABSTRACT---------------------------------------------------------------
The cyber attacks have become most prevalent in the past few years. During this time, attackers have discovered
new vulnerabilities to carry out malicious activities on the internet. Both the clients and the servers have been
victimized by the attackers. Clickjacking is one of the attacks that have been adopted by the attackers to deceive
the innocuous internet users to initiate some action. Clickjacking attack exploits one of the vulnerabilities existing
in the web applications. This attack uses a technique that allows cross domain attacks with the help of user-
initiated clicks and performs unintended actions. This paper traces out the vulnerabilities that make a website
vulnerable to clickjacking attack and proposes a solution for the same.
Keywords - clickjacking, cursorjacking, frame busting, iframe, X-Frame-Options.
--------------------------------------------------------------------------------------------------------------------------------------------------
Date of Submission: May 29, 2018 Date of Acceptance: June 23, 2018
--------------------------------------------------------------------------------------------------------------------------------------------------
1. INTRODUCTION
Along with the growth of Internet, web applications have
also evolved from simple collections of static HTML
documents to complex dynamic pages. Web applications
with highly sophisticated user interfaces have become
possible due to client-side and server-side scripting
languages. But on the other hand, these technologies have
been exploited by the attackers as well. Attackers have
managed to perform different attacks on the web
applications using these technologies, necessitating focus
on the web security. Attackers always keep looking for
bugs, vulnerabilities and loopholes in the web
applications, browser, servers and other components of the
web to carry out a malicious activity. Internet Security
Threat Report 2011 by Symantec [1] concludes that
approximately 95 new vulnerabilities are discovered every
week. Website Security Statistics Report 2015 by
WhiteHat [2] shows that 64% of the Public Administration
sites, 55% of the Transportation and Food services sites
are always vulnerable. 86% of web applications had
serious issues with authentication, access control, and
confidentiality as per HP 2015 Cyber Risk Report [3].
According to 2016 Vulnerability Statistics Report by
Edgescan [4], 61% of the web application vulnerabilities
lead to browser attacks. Exploitation of one such
vulnerability leads to an attack, called the clickjacking
attack.
The term ‘Clickjacking’ was coined by Jeremiah
Grossman and Robert Hansen in the year 2008. According
to them, Clickjacking is a technique where cross-domain
attacks are perpetrated by hijacking user-initiated clicks to
perform unintended actions [5]. Clickjacking attack is a
technique that entices the victim into clicking on a specific
element of a webpage, while the victim intends to interact
with the content of a different website. The victim clicks
on an element of the attacker’s choice under the
misconception of clicking on an apparently harmless page.
In order to perform the attack, a malicious website
(attacker’s website) loads a page from the target website
inside an iframe. Cascading Style Sheets (CSS) can be
used to hide everything except the targeted region of the
page. The targeted region can either be displayed as a part
of the attacker’s page, known as User Interface redressing
or made fully transparent and placed on top of another
element on the attacker’s page [6]. All the major browsers
like Firefox, Chrome, Opera, etc have been the victims of
clickjacking attack. Social networking websites have been
one of the mostly attacked groups of web applications.
“Twitter bomb” is known to be one of the worst
clickjacking attacks, apart from the attack on Adobe Flash.
30% of Alexa Top 10 web sites, 70% of Top 20 bank web
sites, and 80% of 5 popular open-source web applications
have no defense against clickjacking in 2012 [7].
1.1 Types of Clickjacking
The clickjacking attack aims to trick the victim to perform
an action which he/she doesn’t intend to. Existing
clickjacking attacks are classified as [8]:
1.1.1 Compromising target display integrity
Hiding the target element- Attacker hides the target
element using HTML/CSS styling, but mouse events
still work. Attacker can carry out this attack by making
the target element transparent by placing it within a
division and setting the opacity value to zero.
Partial overlays- Attacker baffles a victim by making
only a part of the target element opaque. The z-index
property of CSS can be used for this overlaying thus
compromising target display integrity.
Cropping- Attacker crops the target element to show
only a piece of the target element.
2. Int. J. Advanced Networking and Applications
Volume: 10 Issue: 01 Pages: 3735-3740 (2018) ISSN: 0975-0290
3736
1.1.2 Compromising pointer integrity
Attacker violates pointer integrity by displaying a fake
cursor and hides the actual default cursor, known as
cursorjacking. This way victim misinterprets a click’s
target.
1.1.3 Compromising temporal integrity
Attacker manipulates a UI element after the user decides
to click. But before the actual click occurs the attacker
could move the target element on top of a button shortly
after the victim hovers the cursor over the button, in
anticipation of the click.
Attackers have compromised the context integrity of web
applications in the past and continue to do so; providing
new terms for different variants of the attack such as
likejacking, strokejacking, drag-and-drop clickjacking, etc.
2. AIMS AND OBJECTIVES
The objective of this study is to find out the vulnerabilities
leading to clickjacking attack in the web applications. The
study aims to study the mitigation techniques of the attack
and propose a solution for the same.
3. RELATED WORK
The goal of clickjacking attack is to trick the victim into
performing unintended actions by hijacking the victim’s
clicks. Various researchers have worked in the field of
detection and prevention of clickjacking attack. Study in
this domain is still being carried out by many researchers.
Some of them are listed as:
Lin-Shung Huang and et al. [9] devised new variants of
clickjacking attacks and demonstrated the inefficiency of
existing countermeasures in mitigating those attacks. They
evaluated the existing techniques of the attack prevention
and proposed a mechanism called “InContext” to ensure
visual and temporal integrity of websites.
R. P. Seenivasan and K. Suresh Joseph [10] proposed a
system to prevent clickjacking attacks. They evaluated the
proposed anti-clickjacking technique with security and
cost metrics.
Dipti Pawade and et al. [11] developed a JavaScript
based browser extension called “ClickProtect” for Google
Chrome which provides a solution for multiple
clickjacking attacks. It warns the user before he/she
proceeds towards an unsafe action (click) with a pop-up
warning message.
G. Rydstedt and et al. [12] surveyed frame busting
code the Alexa Top-500 websites including banks, social
networks, online merchandise, trading and gaming sites.
They proposed a JavaScript-based defense against
clickjacking.
Brigette Lundeen and Jim Alves-Foss [13] presented a
plug-in module for BeEF (Browser Exploitation
Framework) which provides a way for penetration testers
to easily demonstrate the impact of clickjacking
vulnerabilities. It is a tool designed to help professional
penetration testers easily demonstrate the impact of client-
side security vulnerabilities.
Daehyun Kim and Hyoungshick Kim [14] investigated
how vulnerable Korean websites were to clickjacking
attacks by performing real attacks on the top 500 most
popular Korean websites as well as all of the financial
websites. They also investigated top 500 global websites
for clickjacking vulnerability. They identified the type of
websites most vulnerable to clickjacking attack. They used
two browsers to check the vulnerability: Internet
Explorer8 and Google Chrome. They analyzed the attack
failure rates based on the type of website and also on the
different countries of the world. The investigation showed
that 99.6 % of the Korean websites were vulnerable to
clickjacking attack which was more than the global
websites, with vulnerability as 78%.
A. Sankara Narayanan [15] provided a clear view of
clickjacking attack using various code examples. Study
provided the numeric figures for the clickjacking google
results. He compared the numeric figures with other
browser-based attacks on the basis of google results in the
past few years. He implemented clickjacking attack using
various available online tools and mitigated the attack
using available anti-clickjacking tools.
Yusuke Takamatsu and Kenji Kono [16] proposed an
automated tool called “Clickjuggler” for checking
defenses against visual clickjacking during development.
They implemented Clickjuggler as a plug-in for Firefox
20.0.1 and 3.6.8 using Firefox plug-in interface. They
applied Clickjuggler to four real-world web applications
including Joomla, WordPress, MediaWiki and Roundcube.
They compared Clickjuggler to other tools like CJTool
and BeEF plug-in.
M. Balduzzi and et al. [17] proposed a solution for the
automated and efficient detection of clickjacking attacks.
They developed a browser plug-in consisting of a
detection unit and a testing unit. They analysed more than
a million unique Internet web pages to estimate the
prevalence of clickjacking attacks. The analysed to what
extent clickjacking defending techniques have been
adopted. As a result 7% of visited web pages did not
contain any clickable elements. 37.3% of visited websites
contained at least one iframe tag making the web pages
vulnerable to clickjacking attack.
4. EXPERIMENTAL SETUP
In this study, a web application, named SOCIO has been
developed in php. SOCIO is a sample social networking
web application developed for attack purpose; which
provide features like instant messaging and public posts.
This web application has been hosted on the local host
using XAMPP server. Various variants of the clickjacking
attack like basic clickjacking, multiple-iframe clickjacking
and cursorjacking have been carried out on this web
application to perform unintended actions. Visual integrity
and pointer integrity of the web applications have been
compromised. Other experiments such as checking top
websites of J&K for clickjacking vulnerability and study
on behavior of the mitigation techniques on different
browsers have also been performed. Modern browsers like
Google Chrome64, IE11, UC Browser7 and Firefox59
have been used to carry out these experiments. The Fig. 1
shows the architecture of clickjacking for carrying out
clickjacking on the target web application on the local
host.
3. Int. J. Advanced Networking and Applications
Volume: 10 Issue: 01 Pages: 3735-3740 (2018) ISSN: 0975-0290
3737
Fig. 1: Architecture of clickjacking attack
Apart from the basic clickjacking attack, other variants
of the attack have been performed through the target web
application.
5. EXPERIMENTAL WORK
The experiments have been carried out on the sample
social networking web application. The attacks that have
been performed on SOCIO are explained below:-
Basic Clickjacking-In SOCIO, basic clickjacking has
been performed by sending a link to the victim through
both, public post and message. The attack is used by the
attacker to make the victim change his/her profile
picture.
Clickjacking on nested iframes- Nested iframes has been
used by the attacker to carry out the attack.
Cursorjacking- Introduced by Eddy Bordi,
cursorjacking deceives the victim by using a fake cursor
to perform the attack. In order to make the attack
successful, original mouse cursor has been made
invisible. In SOCIO, cursorjacking leads to download a
malicious file.
Cookiejacking- In SOCIO, victim’s cookies have been
stolen using this variant of clickjacking. This is done
using cross-site scripting along with clickjacking.
These attack variants have been successfully performed
on the developed web application using all the major
modern browsers.
After performing the attacks successfully, the available
solutions to mitigate the attack have been applied to the
SOCIO web application one-by-one. These have been
listed below:-
X-Frame-Options- Introduced by Microsoft, X-Frame-
Options HTTP header is a response header that prevents
framing of a web application. Setting X-Frame-Options
allows a web application to specify if it can be iframed
or not. The possible values for X-Frame-Options are:-
DENY: Application cannot be displayed from any web
page.
SAMEORIGIN: Application can be displayed from web
pages with the same origin.
ALLOW-FROM: Application can be displayed from
specified URI only.
To mitigate the attack on SOCIO, following line was
added in the .htaccess file in the directory of the web
application:-
Header set X-Frame-Options DENY
The SAMEORIGIN value for X-Frame-Options was also
implemented by using the following line:-
Header set X-Frame-Options SAMEORIGIN
Frame busting- Frame busting is a technique that uses
JavaScript code to prevent clickjacking. In SOCIO,
different frame busting codes have been implemented to
mitigate the clickjacking attack.
Experiments have also been carried to check the web sites
vulnerable to the clickjacking attack among the top 50
websites of J&K, as shown in Table 1. Another
experiment involving the behavioural study of different
browsers for the mitigation solutions has been performed,
the results of which has been summarized in Table 2.
6. PROPOSED SOLUTION
Most of the clickjacking attacks are carried out using the
transparent layers of iframe. So, the proposed solution
detects such transparent iframes and makes them opaque
and warns the user about possible clickjacking attack. The
solution also works to detect the cursorjacking attack by
checking if the default mouse pointer is made hidden. The
proposed solution has been implemented as a JavaScript-
based extension. This extension consists of two units:
Detection Unit and Action Unit. Detection unit follows
pre-defined steps to detect the presence or absence of the
attack and the action unit takes certain actions to
successfully mitigate the attack. The flowchart of the
proposed solution is explained in Fig. 2.
Fig. 2: Flowchart of the proposed solution
4. Int. J. Advanced Networking and Applications
Volume: 10 Issue: 01 Pages: 3735-3740 (2018) ISSN: 0975-0290
3738
7. RESULT AND DISCUSSION
By performing these experiments, various results have
been gathered. The experiment to find out the number of
websites from Jammu and Kashmir (J&K) vulnerable to
clickjacking attack has been carried out on all the major
browsers. The result of the experiment has been
summarized in the TABLE 1 below.
Table 1: Number of websites vulnerable to clickjacking
Browser
Number of websites (out of 50)
vulnerable to clickjacking
Google Chrome 64 44
Internet Explorer 11 44
Mozilla Firefox 59 43
UC Browser 7 44
The result of this experiment points to the huge
possibility of clickjacking attacks on the websites of J&K.
This is alarming that only 4 out of the 50 websites are
completely safe (in all the tested browsers) from
clickjacking attack. Among those three, one website has X-
Frame-Options set to SAMEORIGIN and other two have
implemented frame busting codes.
Another experiment involving the study of behaviour
of browsers for different values of X-Frame-Options
header has been carried out successfully. TABLE 2 shows
whether the attack has been successfully mitigated or not.
Table 2: Behaviour of browsers for different values of X-
Frame-Options header
Browser
X-
Frame-
Options
set to
DENY
X-Frame-
Options set to
SAMEORIGIN
X-Frame-
Options set to
SAMEORIGIN
for nested
iframes
Google
Chrome
38.0
Yes Yes No
Google
Chrome
64
Yes Yes Yes
Internet
Explorer
11
Yes
Yes
No
Microsoft
Edge 16
Yes Yes No
Mozilla
Firefox
58
Yes Yes No
Mozilla
Firefox
59
Yes Yes Yes
UC
Browser
7
Yes Yes No
Apart from these experiments, the proposed solution has
been implemented to check the effectiveness of the
solution.
The web pages with clickjacking attack have been
checked with the JavaScript-based extension, the results of
which have been shown in the Fig. 3, Fig. 4, Fig. 5 and
Fig.6.
Fig.3: Alert generated by the proposed extension regarding
opacity issue
Fig.4: Transparent element (iframe) is made visible by the
proposed extension
Fig.5: Alert generated by the proposed extension regarding
cursorjacking
5. Int. J. Advanced Networking and Applications
Volume: 10 Issue: 01 Pages: 3735-3740 (2018) ISSN: 0975-0290
3739
Fig.6: Actual cursor is made visible by the proposed
extension
The results show that the proposed solution for
clickjacking attack successfully predicts the attack and
then prevents the attack by alerting the user. The proposed
solution has been successfully implemented in Chrome,
Firefox, UC Browser and Opera. The effectiveness of the
proposed solution has been checked on 20 web pages,
from both local host and on internet. The confusion matrix
for the same is presented in TABLE 3 below.
Table 3: Confusion Matrix for the proposed solution
Confusion Matrix
Predicted Class By the
Proposed Extension
Clickjacking
Present
Clickjacking
Absent
Actual
Class
Clickjacking
Present
13 1
Clickjacking
Absent
0 6
The confusion matrix gives 13 True Positive (TP), 1
False Negative (FN), 0 False Positive (FP) and 6 True
Negative (TN) cases. Therefore, precision, recall and F-
measure for the proposed solution are 1, 0.929 (approx.)
and 0.963 (approx.) respectively. With 0.963 (which is
close to 1) F-measure value, the proposed solution works
effectively against clickjacking attack.
8. CONCLUSION
The probability of clickjacking attacks is quite high due to
lack of awareness about the attack among a large group of
users. Even though there have been a variety of techniques
to mitigate clickjacking attack, but the attackers have
already bypassed those techniques in one way or the other.
Clickjacking is one of the emerging attacks that can result
in serious problems in the field of web security, in the near
future. Attackers are always in a constant search of
methods and techniques that can be used to carry out
malicious activities on internet. There is a huge need of
developing efficient techniques, both on client-side and
server-side to protect the web users from clickjacking
attack and it ever-emerging variants.
REFERENCES
[1] Symantec Corporation, Internet Security Threat
Report, 2012. [Online]. Available:
http://www.symantec.com/threatreport/
[2] WhiteHat Security, Inc., Website Security Statistics
Report 2015, Santa Clara, CA 95054, 2015.
[3] HP Security Research, “Cyber Risk Report”, 2015.
[4] BCC Risk Advisory Ltd., 2016 Vulnerability Statistics
Report Edgescan, 2016. [Online]. Available:
http://www.edgescan.com
[5] Robert Hansen and Jeremiah Grossman, Explanation
of Clickjacking. [Online]. Available:
http://www.sectheory.com/clickjacking.htm
[6] Context Information Security Ltd, Next Generation
Clickjacking, London, 2010. [Online]. Available:
http://www.contextis.co.uk
[7] Dingjie Yang, Clickjacking: An Overlooked Web
Security Hole, 2012. [Online]. Available:
https://blog.qualys.com/securitylabs/2012/11/29/clickja
cking-an-overlooked-web-security-hole
[8] Lin-Shung Huang, Alex Moshchuk, Helen J. Wang,
Stuart Schechter and Collin Jackson, Clickjacking:
Attacks and Defenses, Proc. USENIX Security
Symposium, Bellevue, WA, 2012, 413-428.
[9] Hanqing Wu and Liz Zhao, Clickjacking in Web
Security: A WhiteHat Perspective (New York, NY,
USA: CRC Press, 2015) 141-156.
[10] R. P. Seenivasan and K. Suresh Joseph, A Survey of
Clickjacking Attack and Countermeasures in Web
Environment, International Journal of Advanced
Research in Computer Science and Software
Engineering, 6(12), 2016, 206-213.
[11] Dipti Pawade, Era Johri, Divya Reja and Abhilasha
Lahigude, Implementation of Extension for Browser to
Detect Vulnerable Elements on Web Pages and Avoid
Clickjacking, Proc. 6th IEEE International Conf. on
Cloud System and Big Data Engineering, Noida, India,
2016, 226-230.
[12] G. Rydstedt, E. Bursztein, D. Boneh and C. Jackson,
Busting frame busting: a study of clickjacking
vulnerabilities at popular sites, Proc. IEEE Web 2.0
Security and Privacy, Oakland, CA, 2010, 1-13.
6. Int. J. Advanced Networking and Applications
Volume: 10 Issue: 01 Pages: 3735-3740 (2018) ISSN: 0975-0290
3740
[13] Brigette Lundeen and Jim Alves-Foss, Practical
Clickjacking with BeEF, Proc. IEEE Conf. on
Technologies for Homeland Security (HST),
Massachusetts, USA, 2012, 614-619.
[14] Daehyun Kim and Hyoungshick Kim, Performing
clickjacking attacks in the wild: 99% are still
vulnerable!, Proc. IEEE 1st International Conf. on
Software Security and Assurance, Suwon, South
Korea, 2015, 25-29.
[15] A. Sankara Narayanan, Clickjacking Vulnerability
and Countermeasures, International Journal of Applied
Information Systems, 4(7), 2012, 7-10.
[16] Yusuke Takamatsu and Kenji Kono, Detection of
Visual Clickjacking Vulnerabilities in Incomplete
Defenses, IEEE Journal of Information Processing,
23(4), 2015, 513-524.
[17] M. Balduzzi, M. Egele, E. Kirda, D. Balzarotti and C.
Kruegel, A Solution for the Automated Detection of
Clickjacking Attacks, Proc. 5th ACM Symposium on
Information, Computer and Communications Security,
Beijing, China, 2010, 135–144.
AUTHORS BIOGRAPHY
Kokila Jamwal is a Master of
Technology (MTech) student in
the Department of Computer
Science & IT, University of
Jammu. She received her
undergraduate Degree in
Information Technology (B.E
(IT)) from Mahant Bachittar Singh College of Engineering
and Technology, Jammu in the year 2016. Her research
interests are in the field of Networking and Network
Security.
Lalitsen Sharma received his
doctorate in Computer Science
and Engineering from Guru
Nanak Dev University
Amritsar, Punjab, India. He
also holds master’s degree in
Mathematics and Computer Applications from the same
university. He has been teaching to post graduate students
in computer applications of University of Jammu for more
than 20 years. He is a life member of India Science
Congress Association, Computer Society of India, Institute
of Electronics and Communication Engineers and National
HRD Network, India. He is specialized in Data
Communication and Network, Internet and WWW and
Data Structures. He has completed one major research
project to trace out vulnerabilities in network applications
funded by University Grants Commission, Ministry of
Human Resource Development, Govt. of India. He has
produced one PhD and is currently supervising Five PhD
scholars.