An Innovative Method of Malicious Code Injection Attacks on Websites
Main Article Content
Abstract
This paper provides a model to identify website vulnerability to Code Injection Attacks (CIAs). The proposed model identifies vulnerabilities to CIA of various websites, to check vulnerable to CIAs. The lack of existing models in providing checking against code injection has motivated this paper to present a new and enhanced model against web code injection attacks that uses SQL injections and Cross-Site Script (XSS) injections. This paper previews a self-checking protection model which enables web administrators to know whether their current protection program is adequate, or whether a website needs stronger protection against CIAs. The Automated Injection’s model is to check vulnerable to cod injection. The checking methodology consists of many intrusion methods that the attacker may use to launch code injection attacks. Methodology can give a high precision of CIA vulnerability checking for a website compared with other approaches (the minimum accuracy different between proposed approach and other approaches is 3.15%). CIAs can be a serious problem for vulnerable websites including stealing, deleting, or altering important data. Extensive experiments are conducted and compared with existing research [e.g. 1, 5, and 9] to study the effectiveness of the proposed model that can check whether a website is vulnerable to CIAs. The performance of the suggested approach has been tested on SQL injections and XSS injections. The studies showed that the detection rate of our model is 95.27%, and the false positive rate is 5.55%.
Article Details
Issue
Section

This work is licensed under a Creative Commons Attribution 4.0 International License.
Deprecated: json_decode(): Passing null to parameter #1 ($json) of type string is deprecated in /home/u273879158/domains/mesopotamian.press/public_html/journals/plugins/generic/citations/CitationsPlugin.php on line 68
How to Cite
References
[1] J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, "State of the art: Automated black-box web application vulnerability testing," in Proc. IEEE Symp. Security and Privacy , May 2010, pp. 332-345.
[2] J. Fonseca, M. Vieira, and H. Madeira, "Vulnerability & attack injection for web applications," in Proc. IEEE/IFIP Int. Conf. Dependable Syst. Netw. , June 2009, pp. 93-102.
[3] N. Neves, J. Antunes, M. Correia, P. Verissimo, and R. Neves, "Using attack injection to discover new vulnerabilities," in Proc. Int. Conf. Dependable Syst. Netw. (DSN'06) , June 2006, pp. 457-466.
[4] J. Fonseca and M. Vieira, "Mapping software faults with web security vulnerabilities," in Proc. IEEE Int. Conf. Dependable Syst. Netw. (DSN) , June 2008, pp. 257-266.
[5] J. Fonseca, M. Vieira, H. Madeira, and M. Henrique, "Training security assurance teams using vulnerability injection," in Proc. 14th IEEE Pacific Rim Int. Symp. Dependable Comput. , Dec. 2008, pp. 297-304.
[6] J. Fonseca, M. Vieira, and H. Madeira, "Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks," in Proc. 13th Pacific Rim Int. Symp. Dependable Comput. (PRDC 2007) , Dec. 2007, pp. 365-372.
[7] D. T. Stott, B. Floering, D. Burke, Z. Kalbarczpk, and R. K. Iyer, "NFTAPE: A framework for assessing dependability in distributed systems with lightweight fault injectors," in Proc. IEEE Int. Comput. Perform. Dependability Symp. (IPDS 2000) , Mar. 2000, pp. 91-100.
[8] P. Bhojak, V. Shah, K. Patel, and D. Gol, "Automated Web Application Vulnerability Detection With Penetration Testing," in ICRISET2017 , vol. 2, 2017.
[9] I. Medeiros, N. F. Neves, and M. Correia, "Automatic detection and correction of web application vulnerabilities using data mining to predict false positives," in Proc. 23rd Int. Conf. World Wide Web , Apr. 2014, pp. 63-74.
[10] H. Alnabulsi, M. R. Islam, and Q. Mamun, "Detecting SQL injection attacks using SNORT IDS," in Proc. Asia-Pacific World Congr. Comput. Sci. Eng. , Nov. 2014, pp. 1-7.
[11] Websmart Inc., "100000 Vulnerable Websites," Sep. 2017. [Online]. Available: https://samsclass.info/125/ethics/smart-websites.htm
[12] H. Alnabulsi and M. R. Islam, "Identification of susceptible websites from code injection attack," in Proc. 1st Int. Conf. Mach. Learn. Data Eng. (iCMLDE 2017) , 2017, pp. 1-9.
[13] E. Bertino, L. D. Martino, F. Paci, and A. C. Squicciarini, “Web services threats, vulnerabilities, and countermeasures,” in Security for Web Services and Service-Oriented Architectures, Berlin, Heidelberg, Germany: Springer Berlin Heidelberg, pp. 25–44, 2009
[14] A. A. Sarhan, S. A. Farhan, and F. M. Al-Harby, “Understanding and discovering SQL injection vulnerabilities,” in Proc. Int. Conf. Applied Human Factors and Ergonomics, Cham, Switzerland: Springer International Publishing, pp. 45–51, 2017
[15] R. A. Grimes, Hacking the Hacker: Learn from the Experts Who Take Down Hackers. Hoboken, NJ, USA: John Wiley & Sons, 2017
[16] M. S. Aliero, I. Ghani, K. N. Qureshi, and M. F. A. Rohani, “An algorithm for detecting SQL injection vulnerability using black-box testing,” J. Ambient Intell. Humaniz. Comput., vol. 11, no. 1, pp. 249–266, 2020
[17] "150 SQL Vulnerable Websites 2017 List," Aug. 2017. [Online]. Available: https://www.scribd.com/document/325850327/150-SQL-Vulnerable-Websites-2017-List
[18] "List Of web sites Vulnerable For SQL Injection," Aug. 2017. [Online]. Available: http://listsql.blogspot.com.au/
[19] "20 famous websites vulnerable to cross-site scripting," Aug. 2017. [Online]. Available: http://thehackernews.com/2011/09/20-famous-websites-vulnerable-to-cross.html
[20] O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi, “A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability,” in Proc. 18th Int. Conf. Advanced Information Networking and Applications (AINA 2004), vol. 1, pp. 145–151, 2004.
[21] A. K. Kassem, Intelligent System Using Machine Learning Techniques for Security Assessment and Cyber Intrusion Detection, Ph.D. dissertation, Université d'Angers, Angers, France, 2021.
[22] A. Avancini and M. Ceccato, “Security testing of web applications: A search-based approach for cross-site scripting vulnerabilities,” in Proc. IEEE 11th Int. Working Conf. Source Code Analysis and Manipulation (SCAM), pp. 85–94, 2011.
[23] M. Mohammadi, B. Chu, and H. R. Lipford, “Detecting cross-site scripting vulnerabilities through automated unit testing,” in Proc. IEEE Int. Conf. Software Quality, Reliability and Security (QRS), pp. 364–373, 2017.
[24] C. S. Cheah and V. Selvarajah, "A review of common web application breaching techniques (SQLi, XSS, CSRF)," in Proc. 3rd Int. Conf. Integr. Intell. Comput. Commun. Security (ICIIC 2021) , Sep. 2021, pp. 540-547.
[25] A. Javed, "Revisiting XSS Sanitization," in Proc. ISACA Ireland Conf. 2014 , 2014.
[26] H. Alnabulsi, R. Islam, and M. Talukder, "GMSA: Gathering Multiple Signatures Approach to Defend against Code Injection Attacks," IEEE Access, pp. 1-12, Nov. 2018.
[27] H. Alnabulsi, R. Islam, and Q. Mamun, "A novel algorithm to protect code injection attacks," in Proc. Springer Int. Conf. Appl. Techn. Cyber Security Intell. (ATCSI) , vol. 580, Springer China, pp. 281-292, 2018.
[28] S. K. Iqbal et al., "Real-time-based E-health systems: Design and implementation of a lightweight key management protocol for securing sensitive information of patients," Health Technol. , vol. 9, pp. 93-111, 2019.
[29] A. H. Mohsin et al., "Based medical systems for patient’s authentication: Towards a new verification secure framework using CIA standard," J. Med. Syst. , vol. 43, no. 7, art. 192, 2019.
[30] M. L. Shuwandy et al., "mHealth authentication approach based 3D touchscreen and microphone sensors for real-time remote healthcare monitoring system: comprehensive review open issues and methodological aspects," Comput. Sci. Rev., vol. 38, art. 100300, 2020.
[31] A. Alamleh et al. , "Federated learning for IoMT applications: A standardization and benchmarking framework of intrusion detection systems," IEEE J. Biomed. Health Inform. , vol. 27, no. 2, pp. 878-887, 2022.
[32] M. Abuhamad, A. Abusnaina, D. Nyang, and D. Mohaisen, “Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: A contemporary survey,” IEEE Internet Things J., vol. 8, no. 1, pp. 65–84, 2020.