An improving way for Website security assessment

The web-based enterprise applications, such as e-commerce, online banking, online auction, social networks,

forums. . . , have been more and more popular in our society. These applications become the target of security attacks.

Hence, securing websites and connection to the users is important. If we own or manage a website, we certainly concern

about how secure it is. For assessing the security level of a website, we usually take some action, including testing the

website using security scanning tools. Unfortunately, most of scanning tools have limitations and need to be updated

frequently for new vulnerabilities. Using only one scanning tool is sometime not enough to determine security level of a

website. In this paper we propose a framework supporting website security assessment. The idea of this framework is to

integrate different scanning tools into the framework. We then write a program to implement this framework with a real

website. We guide the users how to add a new scanning tool to this framework, manage it and generate a final report. In

addition, we discuss the problem of security on client-side called clickjacking attack that many clients may suffer when

accessing the malicious websites, we propose a method to p

An improving way for Website security assessment trang 1

Trang 1

An improving way for Website security assessment trang 2

Trang 2

An improving way for Website security assessment trang 3

Trang 3

An improving way for Website security assessment trang 4

Trang 4

An improving way for Website security assessment trang 5

Trang 5

An improving way for Website security assessment trang 6

Trang 6

An improving way for Website security assessment trang 7

Trang 7

An improving way for Website security assessment trang 8

Trang 8

pdf 8 trang duykhanh 4980
Bạn đang xem tài liệu "An improving way for Website security assessment", để tải tài liệu gốc về máy hãy click vào nút Download ở trên

Tóm tắt nội dung tài liệu: An improving way for Website security assessment

An improving way for Website security assessment
o protect your web app
...
Figure 8. The interface of VulScanner.
Table I
Blackbox Plugins
Plugins Search for vulnerability type
SQLMap SQL Injections
Wapiti
Different types of vulnerabilitiesZap
Arachni
Table II
Whitebox Plugins
Plugins Search for vulnerability type
CPPCheck C++ programming code
Findbugs,
Jlint
Java source code
Jslint JavaScript source code, syntax only
PHPlint PHP source code, syntax only
Pixy XSS and SQL injections
Yasca Open source program, discontinued
From the results displayed in the VulScanner in-
terface, we can follow the link to find more details
of each vulnerability such as name of plugin, which
found the vulnerability, from what URL, vulnerability
Table III
Demonstration with VulScanner
Plugins Found vulnerabilities
Arachni
SQLMap
Wapiti
Cross-Site Scripting (XSS)
Blind SQL Injection (timing attack)
Cross-Site Scripting (XSS)
SQL Injection
HTTP TRACE
X-Frame-Options header not set
HTTPOnly Cookie
Interesting response
Table IV
Vulnerabilities in OWASP Top 10
Vulnerability name OWASP Top 10
Command Execution A1 (2017)
CSRF A8 (2013)
File Inclusion A3 (2007)
SQL Injection A1 (2017)
XSS A7 (2017)
Path Traversal A5 (2017)
Sensitive Data Exposure A3 (2017)
Weak Credentials A2 (2017)
description, severity, and the link out where to see more
details about the vulnerability.
Similarly, we demonstrated VulScanner with white-
box type scanning and received experimental results as
expected.
Further test was performed on a website containing
different vulnerabilities, described as OWASP Top 10,
in Table IV.
VulScanner runs on Windows 7 of a computer 2 GB
RAM, CPU core 2 duo e8500. We call each plugin
separately, compare total scanning time, number of vul-
nerabilities to the results received from the VulScanner:
Some vulnerabilities could be found by more than
N. D. Thai & N. H. Hieu: An Improving Way for Website Security Assessment 27
Table V
Scanning Results with DVWA
Plugins Scanning time
(hh:mm:ss)
Number of vul-
nerabilities
Arachni 05:28:12 293
SQLMap 00:01:46 1
Wapiti 00:21:53 5
ZAP 00:12:14 141
Pixy 00:00:38 0
YASCA 00:01:09 323
Framework 06:18:42 386
one scanning tool, so the number of vulnerabilities
found by VulScanner is smaller than total vulnerabil-
ities found by the tools called separately. The VulScan-
ner calls the plugins sequentially, the time it requires
for completion of the experiment is a little bit longer in
compare with the total time of all individual scannings.
One more experiment was performed with the web-
site provided by Acunetix as shown in [6]. We used
the same system configuration as mentioned above,
the tested website is 
The website source code is not available, so only the
blackbox scanning method could be used. We choose
SQLMap, Wapiti and ZAP as the plugins in VulScanner.
We repeated the test 3 times and received the results
as in the Table VI. The scanning time in different tests
are different due to network state.
The number of vulnerabilities are shown in Table VII.
They are different because of network state, some of the
connection requests are failed or got timeout.
The proposed framework was implemented and pro-
vided results as we expected. The accuracy of the test-
ing depends on the plugins selected and their accuracy.
The more plugins selected the longer it takes to com-
plete the scanning. The blackbox tests are usually the
fastest tests, however the limited information available
to the testers increases the probability that vulnerabili-
ties will be overlooked and decreases the efficiency of
the tests. Whitebox tests are usually slow, and large
amount of data available to the testers requires time
to process.
6 Clickjacking
In general, securing the websites is not enough. The
websites’ users can still become the victims of a kind
if security attacks, called Clickjacking. To protect the
users from this attack, we developed a script running
on client-side system, automatically detects clickjacking
and lets the users continuing their surfing securely.
Clickjacking, also called web framing attack [7], was
reported by Jeremiah Grossman and Robert Hansen
in 2008 [8]. This attack uses a transparent frame or a
tiny frame to hijack user’s clicks. Clickjacking attack
is based on the simple idea: attackers construct a web
page containing an invisible (or rarely visible) frame,
Table VI
Scanning Time [in seconds]
Tests SQLMap Wapiti ZAP VulScanner
1 26 1:8:20 1:25 1:10:11
2 32 1:18:55 1:45 1:21:12
3 18 1:12:52 1:22 1:14:32
Table VII
Number of Vulnerabilities Found
Tests Number of Vulnerabilities
Found by VulScanner
1 93
2 96
3 106
the position of the frame is set so that it tricks users into
clicking on elements in frame while they think they are
acting with the parent page. In practice, clickjacking
attacks are usable for the purpose of tricking users
into clicking on banner ads, “Like” button in social
networks, button that shares their webcam, initiates
money transfers, or performs any action caught by a
user’s mouse click [9, 10].
Recently, clickjacking attack becomes popular and
many prevention techniques have been proposed, pro-
vided in [11], X-FRAME-OPTIONS headers in [12],
frame bursting in [13],.... Unfortunately, these tech-
niques could not help to protect users from some
kinds of Clickjacking attacks using sharing widgets,
such as the Like button of Facebook [14] or Plus One
button provided by Google Plus social network. These
social widgets allow users to interact with the network
by one-click without leaving the context of the cur-
rent page.
6.1 Proposed Algorithm
We proposed an algorithm to detect hidden frame
that can perform Clickjacking attack in a web page,
based on Attack Variants [10] and demonstrations col-
lected from Internet. Using this algorithm, we im-
plemented Clickalert, a Firefox browser extension to
protect users from clicking on an element that they
do not totally see. There are different browsers such
as Microsoft Internet Explorer, Google Chrome, Mozilla
Firefox, Safari, Opera,. . . but we choose to use Mozilla
Firefox for this research. The model is shown in Fig-
ure 9.
From the model above, the main program receives the
input as a list of URLs, sends it to the Firefox browser,
receives the results of scanning process and returns the
final report.
Our extension can be used by all Internet users to
protect themselves from this kind of attack, it warns
them when they click on a hidden element in an iframe.
Furthermore, the extension can help security experts to
test a large number of web pages for clickjacking attack.
28 REV Journal on Electronics and Communications, Vol. 10, No. 1–2, January–June, 2020
Listing 2
Pseudo Code for Checking Visibility of An Element
Set parent to iframe (the iframe need to check for visiblity)
While parent is not null
Check visibility of parent
If visibility attribute is met
Set parent to parent element of parent
else
Return True
Endif
Endwhile
Return False
Figure 9. Clickjacking Detection Model.
The key point of our approach is to check all ele-
ments’ attributes in a web page to find those match
criteria defined above by examine all HTML/CSS at-
tributes of the checking web page. Listing 2 shows the
pseudo code we use to check the visibility of an iframe
in the current web page. We start checking from the
frame element in the DOM tree [15, 16]. Then we check
the visibility property of the selected element and all
of its preceding elements. If any of these elements does
not pass the visibility checker function, then this is the
indication of an invisible element used for Clickjacking
attack.
For checking the visibility of an HTML element, as
mentioned in [15], we verify the attributes of its element
if they meet the following criteria:
• The opacity attribute value is a CSS attribute that
describes the opacity-level of an element, its value
is in the range 0 (transparent) to 1.0 (completely
visible). The condition is that the value of the
opacity attribute must be higher than a certain
threshold. Checking these attributes can be done
by using Javascript language (used to build the
Browser addon), we get it by the Javascript API
window.getComputedStyle() that will compute all fi-
nal CSS values of an element after the web page is
loaded completely in the browser.
• Dimensions of an element can also influence its
visibility, e.g. we can set the width and height of an
element to zero to make it hidden. To satisfy this
condition, we define the minimum threshold for
width and height, and dimensions of an element
must be higher than these thresholds.
Table VIII
Experimental Results of Clickjacking Attack
Number of websites checked Percentage
Visible 695 95.3
Hidden 34 4.7
Total 729 100
Using the algorithm described above, we develop
the Clickalert extension that can protect users from
Clickjacking attack when they surf the Web. When
users have our extension integrated with their Firefox
browser, whenever they click on an element in the
browser, the extension will check whether that element
belongs to an iframe and is visible to users. They will
receive a warning if clicking on an element in an frame
that is not totally visible. Our extension also has a
feature allowing users to remove hidden frame when
they click on it accidentally.
6.2 Experimental Results
We created the sample pages containing malicious
codes for Clickjacking attack. We try to access those
pages and see that the browser addon works correctly
and sends an alert whenever user click on a hidden
iframe. It can also detect all hidden iframes and their
source codes.
We choose 729 websites, collected from [17], [18] and
use our addon to scan and find out websites that may
trick users by Clickjacking attack, as in Table VIII.
6.3 Discussion
Clickjacking is the web-based attack which is the sub-
ject of many security reports recently. As an appendix
to the framework proposed for website security asssess-
ment, we created an extension that can be integrated
into users’ browsers as an ADD-ON, to protect them
from Clickjacking attack. Experimental results showed
that the extension works properly in the case when
users click on an invisible element, intentionally created
by the attackers.
N. D. Thai & N. H. Hieu: An Improving Way for Website Security Assessment 29
7 Conclusions
The contribution of our paper is not in creation of a
new scanning tool, but we suggest the way to integrate
different plugins to get better results. We showed that
it is very easy to add a new plugin to the framework,
easy to configure the framework to work with the new
plugin.
Different tools give results in different format, so we
need to map them onto desired format as provided by
OWASP. The results given by our framework can be
acceptable, however we can speedup the scanning by
running the tools in parallel, we consider this issue in
the future work.
Regard the clickjacking, we provided an effective way
to detect hidden frames, then we implemented it in
Firefox. This tool can protect users from clickjacking
on an element that they do not see.
Acknowledgment
This research is funded by Vietnam National University
Ho Chi Minh City, under grant number C2017-20-19.
References
[1] Symantec Internet Security Report, vol. 24, 2019.
[2] OWASP Top 10 Most Critical Web Application Security
Risks. [Online]. Available: https://www.owasp.org/ in-
dex.php/Category:OWASP_Top_Ten_Project (accessed
Jan. 25, 2019)
[3] YASCA, official website. [Online]. Available: yasca.org,
or on Github: https://github.com/scovetta/yasca
(accessed Jul. 2018)
[4] J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, “State of
the art: Automated black-box web application vulnera-
bility testing,” in Proceedings of the IEEE Symposium on
Security and Privacy. IEEE, 2010, pp. 332–345.
[5] D. Esposito, M. Rennhard, L. Ruf, and A. Wagner, “Ex-
ploiting the potential of web application vulnerability
scanning,” in Proceedings of the Thirteenth International
Conference on Internet Monitoring and Protection, 2018, pp.
22–29.
[6] Home of Acunetix Art. [Online]. Available: http://
testphp.vulnweb.com (accessed Aug. 2019)
[7] Cursorjacking again. [Online]. Available: 
kotowicz.net/2012/01/cursorjacking-again.html
(accessed Jan. 2012)
[8] R. Hansen and J. Grossman. Clickjacking. [Online].
Available: 
(accessed Jan. 25, 2019)
[9] M. Johns and S. Lekies, “Tamper-resistant likejacking
protection,” in Proceedings of the International Workshop
on Recent Advances in Intrusion Detection. Springer, 2013,
pp. 265–285.
[10] L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schecter,
and C. Jackson, “Clickjacking: Attacks and defenses,” in
Proceedings of the 21st USENIX Security Symposium, 2012,
pp. 413–428.
[11] A. S. Narayanan, “Clickjacking vulnerability and coun-
termeasures,” International Journal of Applied Information
Systems, vol. 4, no. 7, pp. 7–10, 2012.
[12] D. Ross, T. Gondrom, and T. Stanley. HTTP
Header Field X-Frame-Options (RFC 7034) (2013)
InternetEngineering Task Force (IETF). [Online]. Avail-
able: https://www.ietf.org/rfc/rfc7034.txt (accessed Jan.
2018)
[13] G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson,
“Busting frame busting:a study of clickjacking vulner-
abilities on popular sites,” in Proceedings of the IEEE
Oakland Web 2.0 Security and Privacy (W2SP’10).
[14] Facebook worm - “likejacking”. [Online]. Available:
facebook-likejacking-worm/ (accessed May 2010)
[15] P. Thiemann, “A type safe DOM API,” in Proceedings
of the International Workshop on Database Programming
Languages. Springer, 2005, pp. 169–183.
[16] M. Heiderich, T. Frosch, and T. Holz, “Iceshield: Detec-
tion and mitigation of malicious websites with a frozen
dom,” in International Workshop on Recent Advances in
Intrusion Detection. Springer, 2011, pp. 281–300.
[17] Top 1000 website. [Online]. Available: https://www.
alexa.com/topsites
[18] Free web stats counter from motigo webstats -
catalogue/top 1000 sites. [Online]. Available: https://
trends.builtwith.com/websitelist/Motigo-Stats
Nguyen Duc Thai received BSc. (MSc.) and
Ph.D. from Slovak University of Technology in
Bratislava, Slovakia, in 1996 and 2005 respec-
tively. He is currently Head of Department of
Computer Systems and Networking, Faculty
of Computer Science and Engineering, Ho Chi
Minh City University of Technology. He has
been actively involved as a researcher and
teacher in the area of computer networks and
network security for many years.
Nguyen Huu Hieu is currently a full time
researcher at Ho Chi Minh City University of
Technology. He received his B.Sc. and M.Sc.
degree from Ho Chi Minh City University
of Technology in 2012 and 2015, respectively.
His current research interests include network
security and website security.

File đính kèm:

  • pdfan_improving_way_for_website_security_assessment.pdf