Models and scenarios of implementation of threats for internet resources

To facilitate the detection of various vulnerabilities, there are many different tools (scanners) that can help analyze the security of web applications and facilitate the development of their protection. But these tools for the most part can only identify problems, and they are not capable of fixing them. Therefore, the knowledge of the security developer is a key factor in building a secure Web resource. To resolve application security problems, developers must know all the ways and vectors of various attacks in order to be able to develop various protection mechanisms. This review discusses two of the most dangerous vulnerabilities in the field of Web technologies: SQL injections and XSS attacks (cross-site scripting – XSS), as well as specific cases and examples of their application, as well as various approaches to identifying vulnerabilities in applications and threat prevention. Cross-site scripting as well as SQL-injection attacks are related to validating input data. The mechanisms of these attacks are very similar, but in the XSS attacks the user is the victim, and in the SQL injection attacks, the database server of the Web application. In XSS attacks, malicious content is delivered to users by means of a client-side programming language such as JavaScript, while using SQL injection, the SQL database query language is used. At the same time, XSS attacks, unlike SQL injections, harm only the client side leaving the application server operational. Developers should develop security for both server components and the client part of the web application.

1. Kaur D., Kaur P. Empirical Analysis of Web Attacks. Procedia Computer Science. 2016;78:298-306. https://doi.org/10.1016/j.procs.2016.02.057

2. Nagpal B., Chauhan N., Singh N. A Survey on the detection of SQL injection attacks and their countermeasures. J. Inf. Process. Syst. 2017;13(4):689-702. https://doi.org/10.3745/JIPS.03.0024

3. Wang K. and Hou Y. Detection method of SQL injection attack in cloud computing environment. In: 2016 IEEE Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC). P. 487-493. https://doi.org/10.1109/IMCEC.2016.7867260

4. Hu H. Research on the technology of detecting the SQL injection attack and non-intrusive prevention in WEB system. In: 2017 AIP Conference Proceedings. 2017;1839(1):020205. https://doi.org/10.1063/1.4982570

5. Lounis O., Guermeche S.E.B., Saoudi L., Benaicha S.E. A new algorithm for detecting SQL injection attack in Web application. In: 2014 Science and Information Conference (SAI) 2014. P. 589-594. https://doi.org/10.1109/SAI.2014.6918246

6. Voitovych O.P., Yuvkovetskyi O.S., Kupershtein L.M. SQL injection prevention system. In (2016) International Conference Radio Electronics & Info Communications (UkrMiCo) 2016. P. 1-4. https://doi.org/10.1109/UkrMiCo.2016.7739642

7. Razzaq A., Anwar Z., Ahmad H.F., Latif K., Munir F. Ontology for attack detection: An intelligent approach to Web application security. Computers & Security. 2014;45:124-146. https://doi.org/10.1016/j.cose.2014.05.005

8. Vibhandik R., Bose A.K. Vulnerability assessment of Web applications – a testing approach. In: Forth International Conference on e-Technologies and Networks for Development (ICeND). 2015. P. 16-21. https://doi.org/10.1109/ICeND.2015.7328531

9. Sahu D.R., Tomar D.S. Analysis of Web application code vulnerabilities using secure coding standards. Arab. J. Sci. Eng. 2017;42(2):885-895. https://doi.org/10.1007/s13369-016-2362-5

10. Shar L.K., Tan H.B.K. Predicting SQL injection and Cross site scripting vulnerabilities through mining input sanitization patterns. Inform. Software Tech. 2013;55(10):1767-1780. http://dx.doi.org/10.1016/j.infsof.2013.04.002

11. Canfora G., Visaggio C.A. A set of features to detect Web security threats. Journal of Computer Virology and Hacking Techniques. 2016;12(4):243-261. https://doi.org/10.1007/s11416-016-0266-2

12. Wang C.-H., Zhou Y.-S. A new Cross-Site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions. In: International Computer Symposium (ICS). 2016. P. 264-269. https://doi.org/10.1109/ICS.2016.0060

13. Alvarez E.D., Correa B.D., Arango I.F. An analysis of XSS, CSRF and SQL injection in colombian software and web site development. In: 8th Euro American Conference on Telematics and Information Systems (EATIS). 2016. P. 1-5. https://doi.org/10.1109/EATIS.2016.7520140

14. Gupta S., Gupta B. B. Automated Discovery of JavaScript Code Injection Attacks in PHP Web Applications. Procedia Computer Science. 2016;78:82-87. https://doi.org/10.1016/j.procs.2016.02.014

15. Vishnu B.A., Jevitha K.P. Prediction of Cross-Site Scripting Attack Using Machine Learning Algorithms. In: Procc. International Conference on Interdisciplinary Advances in Applied Computing 2014 (ICONIAAC '14). Article 55. https://doi.org/10.1145/2660859.2660969

16. Shrivastava A., Choudhary S., Kumar A. XSS vulnerability assessment and prevention in web application. In: 2nd International Conference on Next Generation Computing Technologies (NGCT-2016). P. 850-853. https://doi.org/10.1109/NGCT.2016.7877529

17. Sivakorn S., Keromytis A.D., Polakis J. That's the way the Cookie crumbles: Evaluating HTTPS enforcing mechanisms. In: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society (WPES '16). P. 71-81. http://dx.doi.org/10.1145/2994620.2994638

18. Wang R., Xu G., Zeng X., Li X., Feng Z. TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting. J. Parallel Distrib. Comput. 2017;118(1):100-106. https://doi.org/10.1016/j.jpdc.2017.07.006

19. Zalbina M.R., Septian T.W., Stiawan D., Idris M.Y., Heryanto A., Budiarto R. Payload recognition and detection of Cross Site Scripting attack. In: 2nd International Conference on Anti-Cyber Crimes (ICACC-17). 2017. P. 172-176. https://doi.org/10.1109/Anti-Cybercrime.2017.7905285

20. Jerkovic H., Vranesic P., Dadic S. Securing web content and services in open source content management systems. In: 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) 2016. P. 1402-1407. https://doi.org/10.1109/MIPRO.2016.7522359

21. Zhang S., Wang W., Chen Z., Gu H., Liu J., Wang C. A web page malicious script detection system. In: 3rd International Conference on Cloud Computing and Intelligence Systems. IEEE 2014. P. 394-399. https://doi.org/10.1109/CCIS.2014.7175767

22. Rexha B., Halili A., Rrmoku K., Imeraj D. Impact of secure programming on web application vulnerabilities. In: International Conference on Computer Graphics, Vision and Information Security (CGVIS). 2015 IEEE. P. 61-66. https://doi.org/10.1109/cgvis.2015.7449894

23. Filipe R., Araujo F. Client-side monitoring techniques for web sites. In: 15th International Symposium on Network Computing and Applications (NCA). 2016 IEEE. P. 363-366. https://doi.org/10.1109/NCA.2016.7778642

24. Zachara M. Identification of scanning and attacks against web applications with graph-based modeling of users' behavior. In: 3rd IEEE International Conference on Cybernetics 2017 (CYBCONF). 8 p. https://doi.org/10.1109/CYBConf.2017.7985783

25. Jemi Hazel J., Valarmathie P., Saravanan R. Guarding web application with multi-angled attack detection. In: International Conference on Soft-Computing and Network Security (ICSNS -2015). 4 p. https://doi.org/10.1109/ICSNS.2015.729238