Cross-Site Scripting (XSS) is one of serious web application attack. Web applications are involved in every activity of human life. JavaScript plays a major role in these web applications. In XSS attacks hacker inject malicious JavaScript into a trusted web application, execution of that malicious script may steal sensitive information from the user. Previous solutions to prevent XSS attacks require a lot of effort to integrate into existing web applications, some solutions works at client-side and some solutions works based on filter list which needs to be updated regularly. In this paper, we propose an Image Substitute technique (ImageSubXSS) to prevent Cross-Site Scripting attacks which works at the server-side. The proposed solution is implemented and evaluated on a number of XSS attacks. With a single line, developers can integrate ImageSubXSS into their applications and the proposed solution is able to prevent XSS attacks effectively.
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsEswar Publications
Web Technologies were primarily designed to cater the need of ubiquitousness. The security concern has been overlooked and such overlooks resulted in vulnerabilities. These vulnerabilities are being highly exploited by hackers in various ways to compromise security. When vulnerability is blocked, the attacker traces out a different mechanism to exploit it. Cross site scripting (XSS) attack is also an exploitation of one of the vulnerabilities existing in the web applications. This paper traces out the vulnerability in functions and attributes of modern scripts to carry out cross site scripting attack and suggests preventive measures.
Cookies are the mechanisms that maintain an
authentication state between the user and web application.
Therefore cookies are the possible targets for the attackers. Cross
Site Scripting (XSS) attack is one of such attacks against the web
applications in which a user has to compromise its browser’s
resources (e.g. cookies). In this paper, a novel technique of
SHA_512 Hash Technique is introduced whose aim is to make
cookies worthless for the attackers. The work done in HTTP
protocol with windows10.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
This system turns away these sort of attacks and ke ep the customer record from request from hacking. By using IDS it can offer security to both web server and da tabase server using mapping of sender require and t he search from web server to database. This edge work is fit to distinguish the ambushes that past intrusion ide ntification framework was not ready to do. This structure or fr amework does this work by isolating the surge of information from each web server session. It assess es the disclosure precision when framework tries to model static and dynamic web request and queries. Additio nally this framework shows this stayed valid for el ement demand where both recuperation of information and u pdates to the back end database happen using the we b server front end.
Double guard: Detecting Interruptions in N- Tier Web ApplicationsIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
International Journal of Modern Engineering Research (IJMER) covers all the fields of engineering and science: Electrical Engineering, Mechanical Engineering, Civil Engineering, Chemical Engineering, Computer Engineering, Agricultural Engineering, Aerospace Engineering, Thermodynamics, Structural Engineering, Control Engineering, Robotics, Mechatronics, Fluid Mechanics, Nanotechnology, Simulators, Web-based Learning, Remote Laboratories, Engineering Design Methods, Education Research, Students' Satisfaction and Motivation, Global Projects, and Assessment…. And many more.
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsEswar Publications
Web Technologies were primarily designed to cater the need of ubiquitousness. The security concern has been overlooked and such overlooks resulted in vulnerabilities. These vulnerabilities are being highly exploited by hackers in various ways to compromise security. When vulnerability is blocked, the attacker traces out a different mechanism to exploit it. Cross site scripting (XSS) attack is also an exploitation of one of the vulnerabilities existing in the web applications. This paper traces out the vulnerability in functions and attributes of modern scripts to carry out cross site scripting attack and suggests preventive measures.
Cookies are the mechanisms that maintain an
authentication state between the user and web application.
Therefore cookies are the possible targets for the attackers. Cross
Site Scripting (XSS) attack is one of such attacks against the web
applications in which a user has to compromise its browser’s
resources (e.g. cookies). In this paper, a novel technique of
SHA_512 Hash Technique is introduced whose aim is to make
cookies worthless for the attackers. The work done in HTTP
protocol with windows10.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
This system turns away these sort of attacks and ke ep the customer record from request from hacking. By using IDS it can offer security to both web server and da tabase server using mapping of sender require and t he search from web server to database. This edge work is fit to distinguish the ambushes that past intrusion ide ntification framework was not ready to do. This structure or fr amework does this work by isolating the surge of information from each web server session. It assess es the disclosure precision when framework tries to model static and dynamic web request and queries. Additio nally this framework shows this stayed valid for el ement demand where both recuperation of information and u pdates to the back end database happen using the we b server front end.
Double guard: Detecting Interruptions in N- Tier Web ApplicationsIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
International Journal of Modern Engineering Research (IJMER) covers all the fields of engineering and science: Electrical Engineering, Mechanical Engineering, Civil Engineering, Chemical Engineering, Computer Engineering, Agricultural Engineering, Aerospace Engineering, Thermodynamics, Structural Engineering, Control Engineering, Robotics, Mechatronics, Fluid Mechanics, Nanotechnology, Simulators, Web-based Learning, Remote Laboratories, Engineering Design Methods, Education Research, Students' Satisfaction and Motivation, Global Projects, and Assessment…. And many more.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.
Dominating headlines for the past year, SQLi has become a widely-known, even outside the circle of security professionals. And for good reason: SQL injection is probably the most expensive and costly attack since it is mainly used to steal data. Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. This report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
Last month a hacker breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server. Technically, this highlights the danger of SQLi. From a business perspective, we see the security problem posed third-party code.
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
In the recent years, everything is in web. It may be Organization’s administration software,
Custom ERP application, Employee portals or Real estate portals. The Social networking sites
like Face book, Twitter, MySpace which is a web application is been used by millions of users
around the world. So web applications have become very popular among users. Hence they are
observed and may be exploited by hackers. Researchers and industry experts state that the
Cross-site Scripting (XSS) is the one of the top most vulnerabilities in the web application. The
cross-site scripting has become a common vulnerability of many web sites and web
applications. XSS consists in the exploitation of input validation flaws, with the purpose of
injecting arbitrary script code which is later executed at the web browser of the victim.
According to OSWAP, Cross-site scripting attacks on web applications have experienced an
important rise in recent year. This demands an efficient approach on the server side to protect
the users of the application as the reason for the vulnerability primarily lies on the server side.
The actual exploitation is within the victim’s web browser on the client-side. Therefore, an
operator of a web application has only very limited evidence of XSS issues. However, there are
many solutions for this vulnerability. But such techniques may degrade the performance of the
system. In such scenarios challenge is to decide which method, platform, browser and
middleware can be used to overcome the vulnerabilities, with reasonable performance over
head to the system. Inspired by this problem, we present performance comparison of two mitigation techniques for Cross-site Scripting (XSS) at the server side based on the parameters like application’s platform, middleware technology and browser used by the end user. We implemented Mitigation parsing technique using database and replace technique in different platforms, middleware and checked its performance. We calculated the time taken by different browsers to render the pages using two techniques under different platform and middleware. In this paper we proposed the best combination of development platform, browser and the middleware for the two mitigation technique with respect to developer and end users.
Now-a-days the world of information era, we can get information just our single click by using Web
application. Web applications are popular due to the ubiquity of web browsers, and the convenience of
using a web browser as a client, sometimes called a thin client. It are playing a major role in this, every
organization are mapping their business from a room to the world with the help of these Web Application.
It consist of a three tier structural design where database is in the third pole, which is the most valuable
assets in any organization, as the adaptation of web applications are increases day by day, various attacks
are possible increasing day by day. An attack which is directly compromises the database that is most
threatening attack is called SQL injection. There are various Vulnerability scanners has been proposed to
deal with this attack, but none of them are able to detect SQLI completely. In my tools have the accuracy
ratio very less as well as they produce a high rate of false positive, apart from that all these tools take
much time to scan. To avoid these problem and detect SQL completely we are presenting a NVS that is
Network Based Vulnerability Scanner approach this provides a better coverage and with no false positive
with a short span of time.
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
Study of Web Application Attacks & Their Countermeasuresidescitation
Web application security is among the hottest issue
in present web scenario due to increasing use of web
applications for e-business environment. Web application has
become the easiest way to provide wide range of services to
users. Due to transfer of confidential data during these services
web application are more vulnerable to attacks. Web
application attack occurs because of lack of security awareness
and poor programming skills. According to Imperva web
application attack report [1] websites are probe once every
two minutes and this has been increased to ten attacks per
second in year 2012. In this paper we have presented most
common and dangerous web application attacks and their
countermeasures.
Study of Cross-Site Scripting Attacks and Their CountermeasuresEditor IJCATR
In present-day time, most of the associations are making use of web services for improved services to their
clients. With the upturn in count of web users, there is a considerable hike in the web attacks. Thus, security becomes
the dominant matter in web applications. The disparate kind of vulnerabilities resulted in the disparate types of attacks.
The attackers may take benefit of these vulnerabilities and can misuse the data in the database. Study indicates that
more than 80% of the web applications are vulnerable to cross-site scripting (XSS) attacks. XSS is one of the fatal
attacks & it has been practiced over the maximum number of well-known search engines and social sites. In this paper,
we have considered XSS attacks, its types and different methods employed to resist these attacks with their
corresponding limitations. Additionally, we have discussed the proposed approach for countering XSS attack and how
this approach is superior to others.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxGitam Gadtaula
As web applications become more prevalent, web security becomes more and more important. Cross-site scripting vulnerability abbreviated as XSS is a kind of common injection web vulnerability. The exploitation of XSS vulnerabilities can hijack users' sessions, modify, read and delete business data of web applications, place malicious codes in web applications, and control victims to attack other targeted servers. This paper discusses classification of XSS, and designs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The paper also compares and analyzes recent research results on XSS detection, divides them into three categories according to different mechanisms. The three categories are static analysis methods, dynamic analysis methods and hybrid analysis methods. The paper classifies 30 detection methods into above three categories, makes overall comparative analysis among them, lists their strengths and weaknesses and detected XSS vulnerability types. In the end, the paper explores some ways to prevent XSS vulnerabilities from being exploited.
With the increased number of web applications, web security is be- coming more and more significant. Cross-Site Scripting vulnerability, abbreviated as XSS, is a common web vulnerability. Exploiting XSS vulnerabilities can cause hijacked user sessions, malicious code injec- tions into web applications, and critical information stealing. This article gives brief information about XSS, discusses its types, and de- signs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The article also shows how to prevent XSS at- tacks with code illustrations.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.
Dominating headlines for the past year, SQLi has become a widely-known, even outside the circle of security professionals. And for good reason: SQL injection is probably the most expensive and costly attack since it is mainly used to steal data. Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. This report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
Last month a hacker breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server. Technically, this highlights the danger of SQLi. From a business perspective, we see the security problem posed third-party code.
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
In the recent years, everything is in web. It may be Organization’s administration software,
Custom ERP application, Employee portals or Real estate portals. The Social networking sites
like Face book, Twitter, MySpace which is a web application is been used by millions of users
around the world. So web applications have become very popular among users. Hence they are
observed and may be exploited by hackers. Researchers and industry experts state that the
Cross-site Scripting (XSS) is the one of the top most vulnerabilities in the web application. The
cross-site scripting has become a common vulnerability of many web sites and web
applications. XSS consists in the exploitation of input validation flaws, with the purpose of
injecting arbitrary script code which is later executed at the web browser of the victim.
According to OSWAP, Cross-site scripting attacks on web applications have experienced an
important rise in recent year. This demands an efficient approach on the server side to protect
the users of the application as the reason for the vulnerability primarily lies on the server side.
The actual exploitation is within the victim’s web browser on the client-side. Therefore, an
operator of a web application has only very limited evidence of XSS issues. However, there are
many solutions for this vulnerability. But such techniques may degrade the performance of the
system. In such scenarios challenge is to decide which method, platform, browser and
middleware can be used to overcome the vulnerabilities, with reasonable performance over
head to the system. Inspired by this problem, we present performance comparison of two mitigation techniques for Cross-site Scripting (XSS) at the server side based on the parameters like application’s platform, middleware technology and browser used by the end user. We implemented Mitigation parsing technique using database and replace technique in different platforms, middleware and checked its performance. We calculated the time taken by different browsers to render the pages using two techniques under different platform and middleware. In this paper we proposed the best combination of development platform, browser and the middleware for the two mitigation technique with respect to developer and end users.
Now-a-days the world of information era, we can get information just our single click by using Web
application. Web applications are popular due to the ubiquity of web browsers, and the convenience of
using a web browser as a client, sometimes called a thin client. It are playing a major role in this, every
organization are mapping their business from a room to the world with the help of these Web Application.
It consist of a three tier structural design where database is in the third pole, which is the most valuable
assets in any organization, as the adaptation of web applications are increases day by day, various attacks
are possible increasing day by day. An attack which is directly compromises the database that is most
threatening attack is called SQL injection. There are various Vulnerability scanners has been proposed to
deal with this attack, but none of them are able to detect SQLI completely. In my tools have the accuracy
ratio very less as well as they produce a high rate of false positive, apart from that all these tools take
much time to scan. To avoid these problem and detect SQL completely we are presenting a NVS that is
Network Based Vulnerability Scanner approach this provides a better coverage and with no false positive
with a short span of time.
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
Study of Web Application Attacks & Their Countermeasuresidescitation
Web application security is among the hottest issue
in present web scenario due to increasing use of web
applications for e-business environment. Web application has
become the easiest way to provide wide range of services to
users. Due to transfer of confidential data during these services
web application are more vulnerable to attacks. Web
application attack occurs because of lack of security awareness
and poor programming skills. According to Imperva web
application attack report [1] websites are probe once every
two minutes and this has been increased to ten attacks per
second in year 2012. In this paper we have presented most
common and dangerous web application attacks and their
countermeasures.
Study of Cross-Site Scripting Attacks and Their CountermeasuresEditor IJCATR
In present-day time, most of the associations are making use of web services for improved services to their
clients. With the upturn in count of web users, there is a considerable hike in the web attacks. Thus, security becomes
the dominant matter in web applications. The disparate kind of vulnerabilities resulted in the disparate types of attacks.
The attackers may take benefit of these vulnerabilities and can misuse the data in the database. Study indicates that
more than 80% of the web applications are vulnerable to cross-site scripting (XSS) attacks. XSS is one of the fatal
attacks & it has been practiced over the maximum number of well-known search engines and social sites. In this paper,
we have considered XSS attacks, its types and different methods employed to resist these attacks with their
corresponding limitations. Additionally, we have discussed the proposed approach for countering XSS attack and how
this approach is superior to others.
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxGitam Gadtaula
As web applications become more prevalent, web security becomes more and more important. Cross-site scripting vulnerability abbreviated as XSS is a kind of common injection web vulnerability. The exploitation of XSS vulnerabilities can hijack users' sessions, modify, read and delete business data of web applications, place malicious codes in web applications, and control victims to attack other targeted servers. This paper discusses classification of XSS, and designs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The paper also compares and analyzes recent research results on XSS detection, divides them into three categories according to different mechanisms. The three categories are static analysis methods, dynamic analysis methods and hybrid analysis methods. The paper classifies 30 detection methods into above three categories, makes overall comparative analysis among them, lists their strengths and weaknesses and detected XSS vulnerability types. In the end, the paper explores some ways to prevent XSS vulnerabilities from being exploited.
With the increased number of web applications, web security is be- coming more and more significant. Cross-Site Scripting vulnerability, abbreviated as XSS, is a common web vulnerability. Exploiting XSS vulnerabilities can cause hijacked user sessions, malicious code injec- tions into web applications, and critical information stealing. This article gives brief information about XSS, discusses its types, and de- signs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The article also shows how to prevent XSS at- tacks with code illustrations.
Abstract
With the increased number of web applications, web security is be- coming more and more significant. Cross-Site Scripting vulnerability, abbreviated as XSS, is a common web vulnerability. Exploiting XSS vulnerabilities can cause hijacked user sessions, malicious code injec- tions into web applications, and critical information stealing. This article gives brief information about XSS, discusses its types, and de- signs a demo website to demonstrate attack processes of common XSS exploitation scenarios. The article also shows how to prevent XSS at- tacks with code illustrations.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Base Paper Abstract:
Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used web applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic
vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability scanners, and static code analyzers.
http://kaashivinfotech.com/
http://inplanttrainingchennai.com/
http://inplanttraining-in-chennai.com/
http://internshipinchennai.in/
http://inplant-training.org/
http://kernelmind.com/
http://inplanttraining-in-chennai.com/
http://inplanttrainingchennai.com/
Routine Detection Of Web Application Defence FlawsIJTET Journal
Abstract— The detection process for security vulnerabilities in ASP.NET websites / web applications is a complex one, most of the code is written by somebody else and there is no documentation to determine the purpose of source code. The characteristic of source code defects generates major web application vulnerabilities. The typical software faults that are behind of web application vulnerabilities, taking into different programming languages. To analyze their ability to prevent security vulnerabilities ASP.NET which is part of .NET framework that separate the HTML code from the programming code in two files, aspx file and another for the programming code. It depends on the compiled language (Visual Basic VB, C sharp C#, Java Script). Visual Basic and C# are the most common languages using with ASP.NET files, and these two compiled languages are in the construction of our proposed algorithm in addition to aspx files. The hacker can inject his malicious as a input or script that can destroy the database or steal website files. By using scanning tool the fault detection process can be done. The scanning process inspects three types of files (aspx, VB and C#). then the software faults are identified. By using fault recovery process the prepared replacement statement technique is used to detect the vulnerabilities and recover it with high efficiency and it provides suggestion then the report is generated then it will help to improve the overall security of the system.
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
One of the main problems of all big companies is how their applications are secured from cyber attacks. New types of vulnerabilities and attack vectors are being developed every day, therefore they pose a potential threat to all applications that rely on some kind of web technology. This document explains the most common and most dangerous web attacks as well as techniques how to secure your infrastructure from being compromised. We focus on SQL injections, XSS, CSRF, RFI/LFI and Server Side Includes. We discuss the attack vectors of web vulnerabilities and exploitation schemas. However, regardless of the security measures taken and defenses being deployed, there will always be a way in. Nevertheless, security analysis provide a valuable insight that can grant the advantage over said attackers and allow us to stay one step ahead.
“Are you one of them, who thinks that Cross-Site Scripting is just for some errors or pop-ups on the screen?” Yes?? Then today in this article, you’ll see how an XSS suffering web-page is not only responsible for the defacement of the web-application but also, it could disrupt a visitor’s privacy by sharing the login credentials or his authenticated cookies to an attacker without his/her concern.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
Bibliometric analysis highlighting the role of women in addressing climate ch...IJECEIAES
Fossil fuel consumption increased quickly, contributing to climate change
that is evident in unusual flooding and draughts, and global warming. Over
the past ten years, women's involvement in society has grown dramatically,
and they succeeded in playing a noticeable role in reducing climate change.
A bibliometric analysis of data from the last ten years has been carried out to
examine the role of women in addressing the climate change. The analysis's
findings discussed the relevant to the sustainable development goals (SDGs),
particularly SDG 7 and SDG 13. The results considered contributions made
by women in the various sectors while taking geographic dispersion into
account. The bibliometric analysis delves into topics including women's
leadership in environmental groups, their involvement in policymaking, their
contributions to sustainable development projects, and the influence of
gender diversity on attempts to mitigate climate change. This study's results
highlight how women have influenced policies and actions related to climate
change, point out areas of research deficiency and recommendations on how
to increase role of the women in addressing the climate change and
achieving sustainability. To achieve more successful results, this initiative
aims to highlight the significance of gender equality and encourage
inclusivity in climate change decision-making processes.
Voltage and frequency control of microgrid in presence of micro-turbine inter...IJECEIAES
The active and reactive load changes have a significant impact on voltage
and frequency. In this paper, in order to stabilize the microgrid (MG) against
load variations in islanding mode, the active and reactive power of all
distributed generators (DGs), including energy storage (battery), diesel
generator, and micro-turbine, are controlled. The micro-turbine generator is
connected to MG through a three-phase to three-phase matrix converter, and
the droop control method is applied for controlling the voltage and
frequency of MG. In addition, a method is introduced for voltage and
frequency control of micro-turbines in the transition state from gridconnected mode to islanding mode. A novel switching strategy of the matrix
converter is used for converting the high-frequency output voltage of the
micro-turbine to the grid-side frequency of the utility system. Moreover,
using the switching strategy, the low-order harmonics in the output current
and voltage are not produced, and consequently, the size of the output filter
would be reduced. In fact, the suggested control strategy is load-independent
and has no frequency conversion restrictions. The proposed approach for
voltage and frequency regulation demonstrates exceptional performance and
favorable response across various load alteration scenarios. The suggested
strategy is examined in several scenarios in the MG test systems, and the
simulation results are addressed.
Enhancing battery system identification: nonlinear autoregressive modeling fo...IJECEIAES
Precisely characterizing Li-ion batteries is essential for optimizing their
performance, enhancing safety, and prolonging their lifespan across various
applications, such as electric vehicles and renewable energy systems. This
article introduces an innovative nonlinear methodology for system
identification of a Li-ion battery, employing a nonlinear autoregressive with
exogenous inputs (NARX) model. The proposed approach integrates the
benefits of nonlinear modeling with the adaptability of the NARX structure,
facilitating a more comprehensive representation of the intricate
electrochemical processes within the battery. Experimental data collected
from a Li-ion battery operating under diverse scenarios are employed to
validate the effectiveness of the proposed methodology. The identified
NARX model exhibits superior accuracy in predicting the battery's behavior
compared to traditional linear models. This study underscores the
importance of accounting for nonlinearities in battery modeling, providing
insights into the intricate relationships between state-of-charge, voltage, and
current under dynamic conditions.
Smart grid deployment: from a bibliometric analysis to a surveyIJECEIAES
Smart grids are one of the last decades' innovations in electrical energy.
They bring relevant advantages compared to the traditional grid and
significant interest from the research community. Assessing the field's
evolution is essential to propose guidelines for facing new and future smart
grid challenges. In addition, knowing the main technologies involved in the
deployment of smart grids (SGs) is important to highlight possible
shortcomings that can be mitigated by developing new tools. This paper
contributes to the research trends mentioned above by focusing on two
objectives. First, a bibliometric analysis is presented to give an overview of
the current research level about smart grid deployment. Second, a survey of
the main technological approaches used for smart grid implementation and
their contributions are highlighted. To that effect, we searched the Web of
Science (WoS), and the Scopus databases. We obtained 5,663 documents
from WoS and 7,215 from Scopus on smart grid implementation or
deployment. With the extraction limitation in the Scopus database, 5,872 of
the 7,215 documents were extracted using a multi-step process. These two
datasets have been analyzed using a bibliometric tool called bibliometrix.
The main outputs are presented with some recommendations for future
research.
Use of analytical hierarchy process for selecting and prioritizing islanding ...IJECEIAES
One of the problems that are associated to power systems is islanding
condition, which must be rapidly and properly detected to prevent any
negative consequences on the system's protection, stability, and security.
This paper offers a thorough overview of several islanding detection
strategies, which are divided into two categories: classic approaches,
including local and remote approaches, and modern techniques, including
techniques based on signal processing and computational intelligence.
Additionally, each approach is compared and assessed based on several
factors, including implementation costs, non-detected zones, declining
power quality, and response times using the analytical hierarchy process
(AHP). The multi-criteria decision-making analysis shows that the overall
weight of passive methods (24.7%), active methods (7.8%), hybrid methods
(5.6%), remote methods (14.5%), signal processing-based methods (26.6%),
and computational intelligent-based methods (20.8%) based on the
comparison of all criteria together. Thus, it can be seen from the total weight
that hybrid approaches are the least suitable to be chosen, while signal
processing-based methods are the most appropriate islanding detection
method to be selected and implemented in power system with respect to the
aforementioned factors. Using Expert Choice software, the proposed
hierarchy model is studied and examined.
Enhancing of single-stage grid-connected photovoltaic system using fuzzy logi...IJECEIAES
The power generated by photovoltaic (PV) systems is influenced by
environmental factors. This variability hampers the control and utilization of
solar cells' peak output. In this study, a single-stage grid-connected PV
system is designed to enhance power quality. Our approach employs fuzzy
logic in the direct power control (DPC) of a three-phase voltage source
inverter (VSI), enabling seamless integration of the PV connected to the
grid. Additionally, a fuzzy logic-based maximum power point tracking
(MPPT) controller is adopted, which outperforms traditional methods like
incremental conductance (INC) in enhancing solar cell efficiency and
minimizing the response time. Moreover, the inverter's real-time active and
reactive power is directly managed to achieve a unity power factor (UPF).
The system's performance is assessed through MATLAB/Simulink
implementation, showing marked improvement over conventional methods,
particularly in steady-state and varying weather conditions. For solar
irradiances of 500 and 1,000 W/m2
, the results show that the proposed
method reduces the total harmonic distortion (THD) of the injected current
to the grid by approximately 46% and 38% compared to conventional
methods, respectively. Furthermore, we compare the simulation results with
IEEE standards to evaluate the system's grid compatibility.
Enhancing photovoltaic system maximum power point tracking with fuzzy logic-b...IJECEIAES
Photovoltaic systems have emerged as a promising energy resource that
caters to the future needs of society, owing to their renewable, inexhaustible,
and cost-free nature. The power output of these systems relies on solar cell
radiation and temperature. In order to mitigate the dependence on
atmospheric conditions and enhance power tracking, a conventional
approach has been improved by integrating various methods. To optimize
the generation of electricity from solar systems, the maximum power point
tracking (MPPT) technique is employed. To overcome limitations such as
steady-state voltage oscillations and improve transient response, two
traditional MPPT methods, namely fuzzy logic controller (FLC) and perturb
and observe (P&O), have been modified. This research paper aims to
simulate and validate the step size of the proposed modified P&O and FLC
techniques within the MPPT algorithm using MATLAB/Simulink for
efficient power tracking in photovoltaic systems.
Adaptive synchronous sliding control for a robot manipulator based on neural ...IJECEIAES
Robot manipulators have become important equipment in production lines, medical fields, and transportation. Improving the quality of trajectory tracking for
robot hands is always an attractive topic in the research community. This is a
challenging problem because robot manipulators are complex nonlinear systems
and are often subject to fluctuations in loads and external disturbances. This
article proposes an adaptive synchronous sliding control scheme to improve trajectory tracking performance for a robot manipulator. The proposed controller
ensures that the positions of the joints track the desired trajectory, synchronize
the errors, and significantly reduces chattering. First, the synchronous tracking
errors and synchronous sliding surfaces are presented. Second, the synchronous
tracking error dynamics are determined. Third, a robust adaptive control law is
designed,the unknown components of the model are estimated online by the neural network, and the parameters of the switching elements are selected by fuzzy
logic. The built algorithm ensures that the tracking and approximation errors
are ultimately uniformly bounded (UUB). Finally, the effectiveness of the constructed algorithm is demonstrated through simulation and experimental results.
Simulation and experimental results show that the proposed controller is effective with small synchronous tracking errors, and the chattering phenomenon is
significantly reduced.
Remote field-programmable gate array laboratory for signal acquisition and de...IJECEIAES
A remote laboratory utilizing field-programmable gate array (FPGA) technologies enhances students’ learning experience anywhere and anytime in embedded system design. Existing remote laboratories prioritize hardware access and visual feedback for observing board behavior after programming, neglecting comprehensive debugging tools to resolve errors that require internal signal acquisition. This paper proposes a novel remote embeddedsystem design approach targeting FPGA technologies that are fully interactive via a web-based platform. Our solution provides FPGA board access and debugging capabilities beyond the visual feedback provided by existing remote laboratories. We implemented a lab module that allows users to seamlessly incorporate into their FPGA design. The module minimizes hardware resource utilization while enabling the acquisition of a large number of data samples from the signal during the experiments by adaptively compressing the signal prior to data transmission. The results demonstrate an average compression ratio of 2.90 across three benchmark signals, indicating efficient signal acquisition and effective debugging and analysis. This method allows users to acquire more data samples than conventional methods. The proposed lab allows students to remotely test and debug their designs, bridging the gap between theory and practice in embedded system design.
Detecting and resolving feature envy through automated machine learning and m...IJECEIAES
Efficiently identifying and resolving code smells enhances software project quality. This paper presents a novel solution, utilizing automated machine learning (AutoML) techniques, to detect code smells and apply move method refactoring. By evaluating code metrics before and after refactoring, we assessed its impact on coupling, complexity, and cohesion. Key contributions of this research include a unique dataset for code smell classification and the development of models using AutoGluon for optimal performance. Furthermore, the study identifies the top 20 influential features in classifying feature envy, a well-known code smell, stemming from excessive reliance on external classes. We also explored how move method refactoring addresses feature envy, revealing reduced coupling and complexity, and improved cohesion, ultimately enhancing code quality. In summary, this research offers an empirical, data-driven approach, integrating AutoML and move method refactoring to optimize software project quality. Insights gained shed light on the benefits of refactoring on code quality and the significance of specific features in detecting feature envy. Future research can expand to explore additional refactoring techniques and a broader range of code metrics, advancing software engineering practices and standards.
Smart monitoring technique for solar cell systems using internet of things ba...IJECEIAES
Rapidly and remotely monitoring and receiving the solar cell systems status parameters, solar irradiance, temperature, and humidity, are critical issues in enhancement their efficiency. Hence, in the present article an improved smart prototype of internet of things (IoT) technique based on embedded system through NodeMCU ESP8266 (ESP-12E) was carried out experimentally. Three different regions at Egypt; Luxor, Cairo, and El-Beheira cities were chosen to study their solar irradiance profile, temperature, and humidity by the proposed IoT system. The monitoring data of solar irradiance, temperature, and humidity were live visualized directly by Ubidots through hypertext transfer protocol (HTTP) protocol. The measured solar power radiation in Luxor, Cairo, and El-Beheira ranged between 216-1000, 245-958, and 187-692 W/m 2 respectively during the solar day. The accuracy and rapidity of obtaining monitoring results using the proposed IoT system made it a strong candidate for application in monitoring solar cell systems. On the other hand, the obtained solar power radiation results of the three considered regions strongly candidate Luxor and Cairo as suitable places to build up a solar cells system station rather than El-Beheira.
An efficient security framework for intrusion detection and prevention in int...IJECEIAES
Over the past few years, the internet of things (IoT) has advanced to connect billions of smart devices to improve quality of life. However, anomalies or malicious intrusions pose several security loopholes, leading to performance degradation and threat to data security in IoT operations. Thereby, IoT security systems must keep an eye on and restrict unwanted events from occurring in the IoT network. Recently, various technical solutions based on machine learning (ML) models have been derived towards identifying and restricting unwanted events in IoT. However, most ML-based approaches are prone to miss-classification due to inappropriate feature selection. Additionally, most ML approaches applied to intrusion detection and prevention consider supervised learning, which requires a large amount of labeled data to be trained. Consequently, such complex datasets are impossible to source in a large network like IoT. To address this problem, this proposed study introduces an efficient learning mechanism to strengthen the IoT security aspects. The proposed algorithm incorporates supervised and unsupervised approaches to improve the learning models for intrusion detection and mitigation. Compared with the related works, the experimental outcome shows that the model performs well in a benchmark dataset. It accomplishes an improved detection accuracy of approximately 99.21%.
Developing a smart system for infant incubators using the internet of things ...IJECEIAES
This research is developing an incubator system that integrates the internet of things and artificial intelligence to improve care for premature babies. The system workflow starts with sensors that collect data from the incubator. Then, the data is sent in real-time to the internet of things (IoT) broker eclipse mosquito using the message queue telemetry transport (MQTT) protocol version 5.0. After that, the data is stored in a database for analysis using the long short-term memory network (LSTM) method and displayed in a web application using an application programming interface (API) service. Furthermore, the experimental results produce as many as 2,880 rows of data stored in the database. The correlation coefficient between the target attribute and other attributes ranges from 0.23 to 0.48. Next, several experiments were conducted to evaluate the model-predicted value on the test data. The best results are obtained using a two-layer LSTM configuration model, each with 60 neurons and a lookback setting 6. This model produces an R 2 value of 0.934, with a root mean square error (RMSE) value of 0.015 and a mean absolute error (MAE) of 0.008. In addition, the R 2 value was also evaluated for each attribute used as input, with a result of values between 0.590 and 0.845.
A review on internet of things-based stingless bee's honey production with im...IJECEIAES
Honey is produced exclusively by honeybees and stingless bees which both are well adapted to tropical and subtropical regions such as Malaysia. Stingless bees are known for producing small amounts of honey and are known for having a unique flavor profile. Problem identified that many stingless bees collapsed due to weather, temperature and environment. It is critical to understand the relationship between the production of stingless bee honey and environmental conditions to improve honey production. Thus, this paper presents a review on stingless bee's honey production and prediction modeling. About 54 previous research has been analyzed and compared in identifying the research gaps. A framework on modeling the prediction of stingless bee honey is derived. The result presents the comparison and analysis on the internet of things (IoT) monitoring systems, honey production estimation, convolution neural networks (CNNs), and automatic identification methods on bee species. It is identified based on image detection method the top best three efficiency presents CNN is at 98.67%, densely connected convolutional networks with YOLO v3 is 97.7%, and DenseNet201 convolutional networks 99.81%. This study is significant to assist the researcher in developing a model for predicting stingless honey produced by bee's output, which is important for a stable economy and food security.
A trust based secure access control using authentication mechanism for intero...IJECEIAES
The internet of things (IoT) is a revolutionary innovation in many aspects of our society including interactions, financial activity, and global security such as the military and battlefield internet. Due to the limited energy and processing capacity of network devices, security, energy consumption, compatibility, and device heterogeneity are the long-term IoT problems. As a result, energy and security are critical for data transmission across edge and IoT networks. Existing IoT interoperability techniques need more computation time, have unreliable authentication mechanisms that break easily, lose data easily, and have low confidentiality. In this paper, a key agreement protocol-based authentication mechanism for IoT devices is offered as a solution to this issue. This system makes use of information exchange, which must be secured to prevent access by unauthorized users. Using a compact contiki/cooja simulator, the performance and design of the suggested framework are validated. The simulation findings are evaluated based on detection of malicious nodes after 60 minutes of simulation. The suggested trust method, which is based on privacy access control, reduced packet loss ratio to 0.32%, consumed 0.39% power, and had the greatest average residual energy of 0.99 mJoules at 10 nodes.
Fuzzy linear programming with the intuitionistic polygonal fuzzy numbersIJECEIAES
In real world applications, data are subject to ambiguity due to several factors; fuzzy sets and fuzzy numbers propose a great tool to model such ambiguity. In case of hesitation, the complement of a membership value in fuzzy numbers can be different from the non-membership value, in which case we can model using intuitionistic fuzzy numbers as they provide flexibility by defining both a membership and a non-membership functions. In this article, we consider the intuitionistic fuzzy linear programming problem with intuitionistic polygonal fuzzy numbers, which is a generalization of the previous polygonal fuzzy numbers found in the literature. We present a modification of the simplex method that can be used to solve any general intuitionistic fuzzy linear programming problem after approximating the problem by an intuitionistic polygonal fuzzy number with n edges. This method is given in a simple tableau formulation, and then applied on numerical examples for clarity.
The performance of artificial intelligence in prostate magnetic resonance im...IJECEIAES
Prostate cancer is the predominant form of cancer observed in men worldwide. The application of magnetic resonance imaging (MRI) as a guidance tool for conducting biopsies has been established as a reliable and well-established approach in the diagnosis of prostate cancer. The diagnostic performance of MRI-guided prostate cancer diagnosis exhibits significant heterogeneity due to the intricate and multi-step nature of the diagnostic pathway. The development of artificial intelligence (AI) models, specifically through the utilization of machine learning techniques such as deep learning, is assuming an increasingly significant role in the field of radiology. In the realm of prostate MRI, a considerable body of literature has been dedicated to the development of various AI algorithms. These algorithms have been specifically designed for tasks such as prostate segmentation, lesion identification, and classification. The overarching objective of these endeavors is to enhance diagnostic performance and foster greater agreement among different observers within MRI scans for the prostate. This review article aims to provide a concise overview of the application of AI in the field of radiology, with a specific focus on its utilization in prostate MRI.
Seizure stage detection of epileptic seizure using convolutional neural networksIJECEIAES
According to the World Health Organization (WHO), seventy million individuals worldwide suffer from epilepsy, a neurological disorder. While electroencephalography (EEG) is crucial for diagnosing epilepsy and monitoring the brain activity of epilepsy patients, it requires a specialist to examine all EEG recordings to find epileptic behavior. This procedure needs an experienced doctor, and a precise epilepsy diagnosis is crucial for appropriate treatment. To identify epileptic seizures, this study employed a convolutional neural network (CNN) based on raw scalp EEG signals to discriminate between preictal, ictal, postictal, and interictal segments. The possibility of these characteristics is explored by examining how well timedomain signals work in the detection of epileptic signals using intracranial Freiburg Hospital (FH), scalp Children's Hospital Boston-Massachusetts Institute of Technology (CHB-MIT) databases, and Temple University Hospital (TUH) EEG. To test the viability of this approach, two types of experiments were carried out. Firstly, binary class classification (preictal, ictal, postictal each versus interictal) and four-class classification (interictal versus preictal versus ictal versus postictal). The average accuracy for stage detection using CHB-MIT database was 84.4%, while the Freiburg database's time-domain signals had an accuracy of 79.7% and the highest accuracy of 94.02% for classification in the TUH EEG database when comparing interictal stage to preictal stage.
Analysis of driving style using self-organizing maps to analyze driver behaviorIJECEIAES
Modern life is strongly associated with the use of cars, but the increase in acceleration speeds and their maneuverability leads to a dangerous driving style for some drivers. In these conditions, the development of a method that allows you to track the behavior of the driver is relevant. The article provides an overview of existing methods and models for assessing the functioning of motor vehicles and driver behavior. Based on this, a combined algorithm for recognizing driving style is proposed. To do this, a set of input data was formed, including 20 descriptive features: About the environment, the driver's behavior and the characteristics of the functioning of the car, collected using OBD II. The generated data set is sent to the Kohonen network, where clustering is performed according to driving style and degree of danger. Getting the driving characteristics into a particular cluster allows you to switch to the private indicators of an individual driver and considering individual driving characteristics. The application of the method allows you to identify potentially dangerous driving styles that can prevent accidents.
Hyperspectral object classification using hybrid spectral-spatial fusion and ...IJECEIAES
Because of its spectral-spatial and temporal resolution of greater areas, hyperspectral imaging (HSI) has found widespread application in the field of object classification. The HSI is typically used to accurately determine an object's physical characteristics as well as to locate related objects with appropriate spectral fingerprints. As a result, the HSI has been extensively applied to object identification in several fields, including surveillance, agricultural monitoring, environmental research, and precision agriculture. However, because of their enormous size, objects require a lot of time to classify; for this reason, both spectral and spatial feature fusion have been completed. The existing classification strategy leads to increased misclassification, and the feature fusion method is unable to preserve semantic object inherent features; This study addresses the research difficulties by introducing a hybrid spectral-spatial fusion (HSSF) technique to minimize feature size while maintaining object intrinsic qualities; Lastly, a soft-margins kernel is proposed for multi-layer deep support vector machine (MLDSVM) to reduce misclassification. The standard Indian pines dataset is used for the experiment, and the outcome demonstrates that the HSSF-MLDSVM model performs substantially better in terms of accuracy and Kappa coefficient.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
2. ISSN: 2088-8708
Int J Elec & Comp Eng, Vol. 9, No. 2, April 2019 : 1393 - 1398
1394
2.1. Reflected (non-persistent)
In Reflected XSS attacks, malicious script will be sent to the server through request and server will
reflect back that malicious code in response. That malicious code will be executed at user browser and steals
user‟s sensitive information. Normally Reflected attacks reach user through E-mail or malicious websites.
Example malicious link:
http://example.net/searchpage.php?searchkeyword=<script>alert ("XSS Attack"); </script>
2.2. Stored (persistent)
In Stored XSS attacks, malicious scripts will be stored permanently on the web server database [5].
An attacker can inject scripts in a vulnerable web application by writing malicious scripts in the comment
section, post message section, etc. Whenever a normal user visits that comment section of the website, then
those injected scripts will be executed and may steal user‟s sensitive information.
Example: The attacker injects malicious code in the comment section in the vulnerable web page.
<script> alert("XSS Attack"); </script>
3. LITERATURE WORK
Hydara et al. [6] conducted a literature study on 115 research papers related to XSS attacks from
2004 to 2012. Their study shows that Reflected XSS attacks are popular XSS attacks compared to other types
of XSS attacks. Their study shows that most of the work done on detecting and preventing XSS attack
vulnerabilities instead of removing vulnerabilities from source code.
Shanmugasundaram, Ravivarman, and Thangavellu [7] stated that websites contain XSS
vulnerabilities because developer lack required knowledge on XSS attacks and developers are unable to
implement existing solutions in their applications. There are different solutions exist to prevent XSS attacks
at client-side and server-side.
Noxes: Client-Side Solution. Developed by Kirda et al. [8], it is a client-side web application
firewall. Noxes works on a client browser. It acts as a personal firewall in the user browser. If the user
requests any URL, checks the filter list to validate URL before sending server request. There will be an alert
box for every new URL to validate the URL by the user. To avoid so many alerts there will be a threshold
(k), for each page can have k external links and these are considered valid for one click or that session. In this
solution, the user needs to have knowledge on deciding which URL is safe and which is not safe.
SWAP: Server-Side Solution. Developed by Wurzinger et al. [9], SWAP means Secure Web
Application Proxy. It is a reverse proxy technique. Input request is ignored and only output responses are
filtered to find XSS attacks. In web application‟s JavaScript, it will modify code by replacing Script with
Script Ids (ex: <script> to <scrip5>). So executable JavaScript will be converted into non-executable
JavaScript. While sending a response to the client it checks for JavaScript. If it finds any JavaScript then it
considered as an attack and if there is no JavaScript means safe then it will decode all Script Ids and send the
response to the client. SWAP may not be suitable for applications with rapid code changes.
BIXSAN: Server-Side Solution. Developed by Chandra and Selvakumar [10], BIXSAN means
Browser Independent XSS Sanitizer. BIXSAN only allows static tags and remove all dynamic tags.
JavaScript tester in BIXSAN finds existing in-line JavaScript code in static tags, filters scripted tags and
finally creates DOM for content. That DOM will be stored in a database or return to the client. BIXSAN can
prevent Reflected and Stored XSS attacks. Document DOM will be created at server-side uses this DOM in
the client browser.
EWAF: Server-Side Solution. Developed by Kazanavicius et al. [11], EWAF means Embedded
Web Application Firewall. EWAF works based on the blacklist and whitelist filters. Based on user request
EWAF analyze which attacks were possible like XSS, SQL Injection, etc. After analyzing possibilities of
attacks, the request sent through corresponding XSS module or SQL Injection or other modules based on
attack type. Then take a decision whether it is common request or attack request based on results of
corresponding attack module.
4. IMAGESUBXSS: THE PROPOSED TECHNIQUE TO PREVENT XSS ATTACKS
4.1. Overview
ImageSubXSS is Image Substitute technique to prevent Cross-Site Scripting attacks. In this system,
characters involved in XSS attacks are replaced with corresponding images. Figure 1 shows the
ImageSubXSS system overview.
3. Int J Elec & Comp Eng ISSN: 2088-8708
ImageSubXSS: an image substitute technique to prevent cross-site scripting attacks (PMD Nagarjun)
1395
Figure 1. ImageSubXSS system overview
Developers need to include single ImageSubXSS tool file to avoid XSS attacks in their web
applications. This tool will analyze every POST and GET data at server-side and checks for malicious
characters in user input data [12]. If there are any those characters it will replace those characters with
corresponding images. After modifications, the data will proceed to the remaining application. Based on a
web application that data may be reflected back to the user‟s browser or stored in a database. Figure 2 shows
how the input data handled by the ImageSubXSS system by simply considering “<” as a malicious
character [13] and replacing it with (lt.png) image.
Figure 2. The flow of input data in ImageSubXSS system
4.2. ImageSubXSS images
ImageSubXSS tool uses images to prevent Cross-Site Scripting attacks. This tool will check
malicious characters like “, ‟, (, , <, and &#. It will replace those malicious characters with corresponding
images. All these images are highly compressed to improve performance. Sizes of these images are between
200 to 600 Bytes. Table 1 shows the characters and corresponding images, these characters are the most
frequent special characters involve in XSS attacks.
ImageSubXSS tool allows developers to choose different color images based on their web
application background. Black Images: These images are clearly visible on web applications with light color
related backgrounds, check example shown in Figure 3. White Images: These images can be used in web
applications with dark color related backgrounds, check example shown in Figure 4.
Figure 3. Black images on the light color background Figure 4. White images on the dark color background
User input data with attack script in search field – At Browser
search = <script>alert(“attack”);</script>
User input data will be converted into below code – At Server
$_POST[„search‟] = <img src="lt.png" > script>alert(“attack”); <img src="lt.png" >/script>
Processed user input data will looks like below code – At Browser
search = script>alert(“attack”); /script>
ImageSubXSS
4. ISSN: 2088-8708
Int J Elec & Comp Eng, Vol. 9, No. 2, April 2019 : 1393 - 1398
1396
Table 1. Characters and Corresponding Image
Character Black Image White Image
“
„
(
<
&#
4.3. Testing on real world web application
We tested web application with our proposed system. ImageSubXSS is able to prevent all XSS
attacks. We implemented the system in PHP programming language but it can be implemented in any
language and can be used on any web application. As a developer, they need to include ImageSubXSS tool
file. So the only modification required to implement ImageSubXSS in existing web application is to add
below code at beginning of PHP file, which handles user input data.
<?php
//Input data in this file is filtered by ImageSubXSS tool include "ImageSubXSS.php";…
//Remaining code may contain code to show data to user or
//store data in database
?>
From the above code, ImageSubXSS.php file contains functions to filter and replace malicious
characters with corresponding images. Figure 5 shows a web page without any XSS security and Figure 6
shows a web page with the ImageSubXSS system to prevent XSS attacks.
Figure 5. A web page without any XSS security
measures
Figure 6. A web page with an ImageSubXSS security
system
5. EVALUATION
We manually tested and verified our solution with more than 100 XSS attacks [14] from different
sources like OWSAP XSS Filter Evasion Cheat Sheet [15] etc. ImageSubXSS system able to prevent all
attack vectors with 100% prevention rate, Figure 7 and Figure 8 shows example XSS attack vectors.
ImageSubXSS will not break the web application look even if there is an XSS attack.
5. Int J Elec & Comp Eng ISSN: 2088-8708
ImageSubXSS: an image substitute technique to prevent cross-site scripting attacks (PMD Nagarjun)
1397
Figure 7. XSS attack 1 and corresponding ImageSubXSS output
Figure 8. XSS attack 2 and corresponding ImageSubXSS output
6. LIMITATIONS AND FUTURE WORK
ImageSubXSS system can be implemented into existing web application with a single line of code
but sometimes developers need to configure properly to integrate this solution into their web applications. If
developers have their own XSS prevention functions those need to be executed first otherwise ImageSubXSS
may cause problems while handling user data. Compared to large and complex web applications proposed
solution works most effectively on small and simple web applications.
Currently, Image Substitute system to prevent XSS attacks was implemented in PHP, so it only
supports PHP web applications. We are working on implementations in other programming languages like
Java, Python, ASP, etc. ImageSubXSS system shows negligible performance issues while handling large user
input data
7. CONCLUSION
Web applications are growing rapidly. Cross-Site Scripting attacks are popular web application
attacks, XSS attacks are difficult to prevent. Previous solutions have difficulties in integrating into existing
websites. Image Substitute Technique named ImageSubXSS was proposed to prevent Cross-Site Scripting
attacks in web applications. ImageSubXSS can be integrated into existing websites with a single line of code.
ImageSubXSS is most effective in simple web applications. Our evaluation shows that ImageSubXSS can
prevent every possible XSS attack existed on popular XSS Cheat Sheets.
6. ISSN: 2088-8708
Int J Elec & Comp Eng, Vol. 9, No. 2, April 2019 : 1393 - 1398
1398
REFERENCES
[1] S. Gupta and B. B. Gupta, “Cross-Site Scripting (XSS) Attacks and Defense Mechanisms: Classification and State-
of-the-art,” International Journal of System Assurance Engineering and Management, vol. 8(1), pp. 512–530, Jan
2017.
[2] B. Rexha, A. Halili, K. Rrmoku, and D. Imeraj, “Impact of Secure Programming on Web Application
Vulnerabilities,” in 2015 IEEE International Conference on Computer Graphics, Vision and Information Security
(CGVIS), pp. 61–66, 2015.
[3] G. Podjarny, “XSS Attacks: The Next Wave | Snyk,” Snyk, 08-Jun-2017. [Online].
Available: https://snyk.io/blog/xss-attacks-the-next-wave.
[4] V. Nithya, S. L. Pandian, and C. Malarvizhi, “A Survey on Detection and Prevention of Cross-site Scripting
Attack,” International Journal of Security and Its Applications, vol. 9(3), pp. 139-152, 2015.
[5] X. Li and Y. Xue, “A Survey on Server-side Approaches to Securing Web Applications,” ACM Comput. Surv., vol.
46(4), pp. 54:1–54:29, Mar 2014.
[6] I. Hydara, A. B. Sultan, H. Zulzalil, and N. Admodisastro, “Current State of Research on Cross-site Scripting
(XSS) – A Systematic Literature Review,” Information and Software Technology, vol. 58, pp. 170–186, Feb 2015.
[7] G. Shanmugasundaram, S. Ravivarman, and P. Thangavellu, “A Study on Removal Techniques of Cross-Site
Scripting from Web Applications,” in 2015 International Conference on Computation of Power, Energy,
Information and Communication (ICCPEIC), pp. 0436–0442, 2015.
[8] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, “Noxes: A Client-side Solution for Mitigating Cross-site
Scripting Attacks,” in Proceedings of the 2006 ACM Symposium on Applied Computing, Dijon, France,
pp. 330–337, 2006.
[9] P. Wurzinger, C. Platzer, C. Ludl, E. Kirda, and C. Kruegel, “SWAP: Mitigating XSS Attacks Using a Reverse
Proxy,” in Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 33–39, 2009.
[10] S. C. V. and S. Selvakumar, “BIXSAN: Browser Independent XSS Sanitizer for Prevention of XSS Attacks,”
SIGSOFT Softw. Eng. Notes, vol. 36(5), pp. 1–7, Sep 2011.
[11] E. Kazanavicius, V. Kazanavicius, A. Venckauskas, and R. Paskevicius, “Securing Web Application by Embedded
Firewall,” Elektronika ir Elektrotechnika, vol. 119(3), pp. 65–68, Mar 2012.
[12] T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda, “An Empirical Analysis of Input Validation Mechanisms in
Web Applications and Languages,” in Proceedings of the 27th Annual ACM Symposium on Applied Computing,
Trento, Italy, pp. 1419–1426, 2012.
[13] A. Javed and J. Schwenk, “Systematically Breaking Online WYSIWYG Editors,” in Information Security
Applications, pp. 122–133, 2015.
[14] R. Assis, “XSS Cheat Sheet,” Leanpub, 2018.
[15] OWASP, “XSS Filter Evasion Cheat Sheet-OWASP.” [Online].
Available: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
![International Journal of Electrical and Computer Engineering (IJECE)
Vol. 9, No. 2, April 2019, pp. 1393~1398
ISSN: 2088-8708, DOI: 10.11591/ijece.v9i2.pp1393-1398 1393
Journal homepage: http://iaescore.com/journals/index.php/IJECE
ImageSubXSS: an image substitute technique
to prevent Cross-Site Scripting attacks
P. M. D. Nagarjun1
, Shaik Shakeel Ahamad2
1,2
Department of CSE, K L University, Vijayawada, India
1
Nagabot Software Development Pvt. Ltd., Nellore, India
2
CCIS, Majmaah University, Majmaah, Kingdom of Saudi Arabia
Article Info ABSTRACT
Article history:
Received Apr 20, 2018
Revised Nov 6, 2018
Accepted Nov 30, 2018
Cross-Site Scripting (XSS) is one of serious web application attack. Web
applications are involved in every activity of human life. JavaScript plays a
major role in these web applications. In XSS attacks hacker inject malicious
JavaScript into a trusted web application, execution of that malicious script
may steal sensitive information from the user. Previous solutions to prevent
XSS attacks require a lot of effort to integrate into existing web applications,
some solutions works at client-side and some solutions works based on filter
list which needs to be updated regularly. In this paper, we propose an Image
Substitute technique (ImageSubXSS) to prevent Cross-Site Scripting attacks
which works at the server-side. The proposed solution is implemented and
evaluated on a number of XSS attacks. With a single line, developers can
integrate ImageSubXSS into their applications and the proposed solution is
able to prevent XSS attacks effectively.
Keywords:
Cross-site scripting
ImageSubXSS
Malicious JavaScript
Web application attacks
XSS attacks
Copyright © 2019 Institute of Advanced Engineering and Science.
All rights reserved.
Corresponding Author:
P. M. D. Nagarjun,
Department of CSE,
K L University,
Vaddeswaram - 522502, Guntur District, Andhra Pradesh, India.
Email: pmdnr@nagabot.com
1. INTRODUCTION
According to the Open Web Application Security Project (OWASP), Cross-Site Scripting attacks
[1] are popular and dangerous web application attacks. Attackers inject malicious JavaScript into vulnerable
web applications. When a user opens that infected web application in their browser, malicious JavaScript will
be executed and steals cookies and other sensitive information from the user [2].
XSS vulnerabilities are growing every year, XSS attacks increased by 39% in 2017 and almost 79%
of web applications having vulnerable JavaScript library [3]. PHP is a popular programming language used to
develop web applications. It is easy to learn and with this, it is easy to develop websites. So a lot of
developers without proper knowledge of security developing web applications with a lot of vulnerabilities.
Proposed ImageSubXSS will prevent Cross-Site Scripting attacks, this solution works at the server
side. ImageSubXSS is implemented and tested with PHP language. The rest of the paper is organized as
follows: Section 2 shows different types of XSS attacks. Section 3 discusses related work. In Section 4 we
describe the proposed solution to prevent XSS attacks. In Section 5 we evaluated the proposed tool. Section 6
discusses the limitations and future works. Finally, Section 7 concludes briefly.
2. CROSS-SITE SCRIPTING ATTACK TYPES
Two most popular XSS attack types are reflected (Non-persistent) and Stored (Persistent) attacks
[4]. The proposed solution in this paper is able to prevent both of these attacks.](https://image.slidesharecdn.com/7412849-200721004406/85/ImageSubXSS-an-image-substitute-technique-to-prevent-Cross-Site-Scripting-attacks-1-320.jpg)
![ ISSN: 2088-8708
Int J Elec & Comp Eng, Vol. 9, No. 2, April 2019 : 1393 - 1398
1394
2.1. Reflected (non-persistent)
In Reflected XSS attacks, malicious script will be sent to the server through request and server will
reflect back that malicious code in response. That malicious code will be executed at user browser and steals
user‟s sensitive information. Normally Reflected attacks reach user through E-mail or malicious websites.
Example malicious link:
http://example.net/searchpage.php?searchkeyword=<script>alert ("XSS Attack"); </script>
2.2. Stored (persistent)
In Stored XSS attacks, malicious scripts will be stored permanently on the web server database [5].
An attacker can inject scripts in a vulnerable web application by writing malicious scripts in the comment
section, post message section, etc. Whenever a normal user visits that comment section of the website, then
those injected scripts will be executed and may steal user‟s sensitive information.
Example: The attacker injects malicious code in the comment section in the vulnerable web page.
<script> alert("XSS Attack"); </script>
3. LITERATURE WORK
Hydara et al. [6] conducted a literature study on 115 research papers related to XSS attacks from
2004 to 2012. Their study shows that Reflected XSS attacks are popular XSS attacks compared to other types
of XSS attacks. Their study shows that most of the work done on detecting and preventing XSS attack
vulnerabilities instead of removing vulnerabilities from source code.
Shanmugasundaram, Ravivarman, and Thangavellu [7] stated that websites contain XSS
vulnerabilities because developer lack required knowledge on XSS attacks and developers are unable to
implement existing solutions in their applications. There are different solutions exist to prevent XSS attacks
at client-side and server-side.
Noxes: Client-Side Solution. Developed by Kirda et al. [8], it is a client-side web application
firewall. Noxes works on a client browser. It acts as a personal firewall in the user browser. If the user
requests any URL, checks the filter list to validate URL before sending server request. There will be an alert
box for every new URL to validate the URL by the user. To avoid so many alerts there will be a threshold
(k), for each page can have k external links and these are considered valid for one click or that session. In this
solution, the user needs to have knowledge on deciding which URL is safe and which is not safe.
SWAP: Server-Side Solution. Developed by Wurzinger et al. [9], SWAP means Secure Web
Application Proxy. It is a reverse proxy technique. Input request is ignored and only output responses are
filtered to find XSS attacks. In web application‟s JavaScript, it will modify code by replacing Script with
Script Ids (ex: <script> to <scrip5>). So executable JavaScript will be converted into non-executable
JavaScript. While sending a response to the client it checks for JavaScript. If it finds any JavaScript then it
considered as an attack and if there is no JavaScript means safe then it will decode all Script Ids and send the
response to the client. SWAP may not be suitable for applications with rapid code changes.
BIXSAN: Server-Side Solution. Developed by Chandra and Selvakumar [10], BIXSAN means
Browser Independent XSS Sanitizer. BIXSAN only allows static tags and remove all dynamic tags.
JavaScript tester in BIXSAN finds existing in-line JavaScript code in static tags, filters scripted tags and
finally creates DOM for content. That DOM will be stored in a database or return to the client. BIXSAN can
prevent Reflected and Stored XSS attacks. Document DOM will be created at server-side uses this DOM in
the client browser.
EWAF: Server-Side Solution. Developed by Kazanavicius et al. [11], EWAF means Embedded
Web Application Firewall. EWAF works based on the blacklist and whitelist filters. Based on user request
EWAF analyze which attacks were possible like XSS, SQL Injection, etc. After analyzing possibilities of
attacks, the request sent through corresponding XSS module or SQL Injection or other modules based on
attack type. Then take a decision whether it is common request or attack request based on results of
corresponding attack module.
4. IMAGESUBXSS: THE PROPOSED TECHNIQUE TO PREVENT XSS ATTACKS
4.1. Overview
ImageSubXSS is Image Substitute technique to prevent Cross-Site Scripting attacks. In this system,
characters involved in XSS attacks are replaced with corresponding images. Figure 1 shows the
ImageSubXSS system overview.](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)